forked from lix-project/lix
Generate the nix.conf docs from the source code
This means we don't have two (divergent) sets of option descriptions anymore.
This commit is contained in:
parent
34b22e0123
commit
c8fa39324a
10 changed files with 802 additions and 834 deletions
2
.gitignore
vendored
2
.gitignore
vendored
|
@ -26,7 +26,9 @@ perl/Makefile.config
|
||||||
/doc/manual/*.5
|
/doc/manual/*.5
|
||||||
/doc/manual/*.8
|
/doc/manual/*.8
|
||||||
/doc/manual/nix.json
|
/doc/manual/nix.json
|
||||||
|
/doc/manual/conf-file.json
|
||||||
/doc/manual/src/command-ref/nix.md
|
/doc/manual/src/command-ref/nix.md
|
||||||
|
/doc/manual/src/command-ref/conf-file.md
|
||||||
|
|
||||||
# /scripts/
|
# /scripts/
|
||||||
/scripts/nix-profile.sh
|
/scripts/nix-profile.sh
|
||||||
|
|
11
doc/manual/generate-options.jq
Normal file
11
doc/manual/generate-options.jq
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
. | to_entries | sort_by(.key) | map(
|
||||||
|
" - `" + .key + "` \n"
|
||||||
|
+ (.value.description | split("\n") | map(" " + . + "\n") | join("")) + "\n\n"
|
||||||
|
+ " **Default**: " + (
|
||||||
|
if .value.value == "" or .value.value == []
|
||||||
|
then "*empty*"
|
||||||
|
elif (.value.value | type) == "array"
|
||||||
|
then "`" + (.value.value | join(" ")) + "`"
|
||||||
|
else "`" + (.value.value | tostring) + "`" end)
|
||||||
|
+ "\n\n"
|
||||||
|
) | join("")
|
|
@ -27,9 +27,16 @@ $(d)/nix.conf.5: $(d)/src/command-ref/conf-file.md
|
||||||
$(d)/src/command-ref/nix.md: $(d)/nix.json $(d)/generate-manpage.jq
|
$(d)/src/command-ref/nix.md: $(d)/nix.json $(d)/generate-manpage.jq
|
||||||
jq -r -f doc/manual/generate-manpage.jq $< > $@
|
jq -r -f doc/manual/generate-manpage.jq $< > $@
|
||||||
|
|
||||||
|
$(d)/src/command-ref/conf-file.md: $(d)/conf-file.json $(d)/generate-options.jq $(d)/src/command-ref/conf-file-prefix.md
|
||||||
|
cat doc/manual/src/command-ref/conf-file-prefix.md > $@
|
||||||
|
jq -r -f doc/manual/generate-options.jq $< >> $@
|
||||||
|
|
||||||
$(d)/nix.json: $(bindir)/nix
|
$(d)/nix.json: $(bindir)/nix
|
||||||
$(trace-gen) $(bindir)/nix dump-args > $@
|
$(trace-gen) $(bindir)/nix dump-args > $@
|
||||||
|
|
||||||
|
$(d)/conf-file.json: $(bindir)/nix
|
||||||
|
$(trace-gen) env -i NIX_CONF_DIR=/dummy HOME=/dummy $(bindir)/nix show-config --json --experimental-features nix-command > $@
|
||||||
|
|
||||||
# Generate the HTML manual.
|
# Generate the HTML manual.
|
||||||
install: $(docdir)/manual/index.html
|
install: $(docdir)/manual/index.html
|
||||||
|
|
||||||
|
|
39
doc/manual/src/command-ref/conf-file-prefix.md
Normal file
39
doc/manual/src/command-ref/conf-file-prefix.md
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
Title: nix.conf
|
||||||
|
|
||||||
|
# Name
|
||||||
|
|
||||||
|
`nix.conf` - Nix configuration file
|
||||||
|
|
||||||
|
# Description
|
||||||
|
|
||||||
|
By default Nix reads settings from the following places:
|
||||||
|
|
||||||
|
- The system-wide configuration file `sysconfdir/nix/nix.conf` (i.e.
|
||||||
|
`/etc/nix/nix.conf` on most systems), or `$NIX_CONF_DIR/nix.conf` if
|
||||||
|
`NIX_CONF_DIR` is set. Values loaded in this file are not forwarded
|
||||||
|
to the Nix daemon. The client assumes that the daemon has already
|
||||||
|
loaded them.
|
||||||
|
|
||||||
|
- If `NIX_USER_CONF_FILES` is set, then each path separated by `:`
|
||||||
|
will be loaded in reverse order.
|
||||||
|
|
||||||
|
Otherwise it will look for `nix/nix.conf` files in `XDG_CONFIG_DIRS`
|
||||||
|
and `XDG_CONFIG_HOME`. If these are unset, it will look in
|
||||||
|
`$HOME/.config/nix.conf`.
|
||||||
|
|
||||||
|
The configuration files consist of `name =
|
||||||
|
value` pairs, one per line. Other files can be included with a line like
|
||||||
|
`include
|
||||||
|
path`, where *path* is interpreted relative to the current conf file and
|
||||||
|
a missing file is an error unless `!include` is used instead. Comments
|
||||||
|
start with a `#` character. Here is an example configuration file:
|
||||||
|
|
||||||
|
keep-outputs = true # Nice for developers
|
||||||
|
keep-derivations = true # Idem
|
||||||
|
|
||||||
|
You can override settings on the command line using the `--option` flag,
|
||||||
|
e.g. `--option keep-outputs
|
||||||
|
false`.
|
||||||
|
|
||||||
|
The following settings are currently available:
|
||||||
|
|
|
@ -1,691 +0,0 @@
|
||||||
Title: nix.conf
|
|
||||||
|
|
||||||
# Name
|
|
||||||
|
|
||||||
`nix.conf` - Nix configuration file
|
|
||||||
|
|
||||||
# Description
|
|
||||||
|
|
||||||
By default Nix reads settings from the following places:
|
|
||||||
|
|
||||||
- The system-wide configuration file `sysconfdir/nix/nix.conf` (i.e.
|
|
||||||
`/etc/nix/nix.conf` on most systems), or `$NIX_CONF_DIR/nix.conf` if
|
|
||||||
`NIX_CONF_DIR` is set. Values loaded in this file are not forwarded
|
|
||||||
to the Nix daemon. The client assumes that the daemon has already
|
|
||||||
loaded them.
|
|
||||||
|
|
||||||
- If `NIX_USER_CONF_FILES` is set, then each path separated by `:`
|
|
||||||
will be loaded in reverse order.
|
|
||||||
|
|
||||||
Otherwise it will look for `nix/nix.conf` files in `XDG_CONFIG_DIRS`
|
|
||||||
and `XDG_CONFIG_HOME`. If these are unset, it will look in
|
|
||||||
`$HOME/.config/nix.conf`.
|
|
||||||
|
|
||||||
The configuration files consist of `name =
|
|
||||||
value` pairs, one per line. Other files can be included with a line like
|
|
||||||
`include
|
|
||||||
path`, where *path* is interpreted relative to the current conf file and
|
|
||||||
a missing file is an error unless `!include` is used instead. Comments
|
|
||||||
start with a `#` character. Here is an example configuration file:
|
|
||||||
|
|
||||||
keep-outputs = true # Nice for developers
|
|
||||||
keep-derivations = true # Idem
|
|
||||||
|
|
||||||
You can override settings on the command line using the `--option` flag,
|
|
||||||
e.g. `--option keep-outputs
|
|
||||||
false`.
|
|
||||||
|
|
||||||
The following settings are currently available:
|
|
||||||
|
|
||||||
- `allowed-uris`
|
|
||||||
A list of URI prefixes to which access is allowed in restricted
|
|
||||||
evaluation mode. For example, when set to
|
|
||||||
`https://github.com/NixOS`, builtin functions such as `fetchGit` are
|
|
||||||
allowed to access `https://github.com/NixOS/patchelf.git`.
|
|
||||||
|
|
||||||
- `allow-import-from-derivation`
|
|
||||||
By default, Nix allows you to `import` from a derivation, allowing
|
|
||||||
building at evaluation time. With this option set to false, Nix will
|
|
||||||
throw an error when evaluating an expression that uses this feature,
|
|
||||||
allowing users to ensure their evaluation will not require any
|
|
||||||
builds to take place.
|
|
||||||
|
|
||||||
- `allow-new-privileges`
|
|
||||||
(Linux-specific.) By default, builders on Linux cannot acquire new
|
|
||||||
privileges by calling setuid/setgid programs or programs that have
|
|
||||||
file capabilities. For example, programs such as `sudo` or `ping`
|
|
||||||
will fail. (Note that in sandbox builds, no such programs are
|
|
||||||
available unless you bind-mount them into the sandbox via the
|
|
||||||
`sandbox-paths` option.) You can allow the use of such programs by
|
|
||||||
enabling this option. This is impure and usually undesirable, but
|
|
||||||
may be useful in certain scenarios (e.g. to spin up containers or
|
|
||||||
set up userspace network interfaces in tests).
|
|
||||||
|
|
||||||
- `allowed-users`
|
|
||||||
A list of names of users (separated by whitespace) that are allowed
|
|
||||||
to connect to the Nix daemon. As with the `trusted-users` option,
|
|
||||||
you can specify groups by prefixing them with `@`. Also, you can
|
|
||||||
allow all users by specifying `*`. The default is `*`.
|
|
||||||
|
|
||||||
Note that trusted users are always allowed to connect.
|
|
||||||
|
|
||||||
- `auto-optimise-store`
|
|
||||||
If set to `true`, Nix automatically detects files in the store
|
|
||||||
that have identical contents, and replaces them with hard links to
|
|
||||||
a single copy. This saves disk space. If set to `false` (the
|
|
||||||
default), you can still run `nix-store --optimise` to get rid of
|
|
||||||
duplicate files.
|
|
||||||
|
|
||||||
- `builders`
|
|
||||||
A list of machines on which to perform builds.
|
|
||||||
|
|
||||||
- `builders-use-substitutes`
|
|
||||||
If set to `true`, Nix will instruct remote build machines to use
|
|
||||||
their own binary substitutes if available. In practical terms, this
|
|
||||||
means that remote hosts will fetch as many build dependencies as
|
|
||||||
possible from their own substitutes (e.g, from `cache.nixos.org`),
|
|
||||||
instead of waiting for this host to upload them all. This can
|
|
||||||
drastically reduce build times if the network connection between
|
|
||||||
this computer and the remote build host is slow. Defaults to
|
|
||||||
`false`.
|
|
||||||
|
|
||||||
- `build-users-group`
|
|
||||||
This options specifies the Unix group containing the Nix build user
|
|
||||||
accounts. In multi-user Nix installations, builds should not be
|
|
||||||
performed by the Nix account since that would allow users to
|
|
||||||
arbitrarily modify the Nix store and database by supplying specially
|
|
||||||
crafted builders; and they cannot be performed by the calling user
|
|
||||||
since that would allow him/her to influence the build result.
|
|
||||||
|
|
||||||
Therefore, if this option is non-empty and specifies a valid group,
|
|
||||||
builds will be performed under the user accounts that are a member
|
|
||||||
of the group specified here (as listed in `/etc/group`). Those user
|
|
||||||
accounts should not be used for any other purpose\!
|
|
||||||
|
|
||||||
Nix will never run two builds under the same user account at the
|
|
||||||
same time. This is to prevent an obvious security hole: a malicious
|
|
||||||
user writing a Nix expression that modifies the build result of a
|
|
||||||
legitimate Nix expression being built by another user. Therefore it
|
|
||||||
is good to have as many Nix build user accounts as you can spare.
|
|
||||||
(Remember: uids are cheap.)
|
|
||||||
|
|
||||||
The build users should have permission to create files in the Nix
|
|
||||||
store, but not delete them. Therefore, `/nix/store` should be owned
|
|
||||||
by the Nix account, its group should be the group specified here,
|
|
||||||
and its mode should be `1775`.
|
|
||||||
|
|
||||||
If the build users group is empty, builds will be performed under
|
|
||||||
the uid of the Nix process (that is, the uid of the caller if
|
|
||||||
`NIX_REMOTE` is empty, the uid under which the Nix daemon runs if
|
|
||||||
`NIX_REMOTE` is `daemon`). Obviously, this should not be used in
|
|
||||||
multi-user settings with untrusted users.
|
|
||||||
|
|
||||||
- `compress-build-log`
|
|
||||||
If set to `true` (the default), build logs written to
|
|
||||||
`/nix/var/log/nix/drvs` will be compressed on the fly using bzip2.
|
|
||||||
Otherwise, they will not be compressed.
|
|
||||||
|
|
||||||
- `connect-timeout`
|
|
||||||
The timeout (in seconds) for establishing connections in the binary
|
|
||||||
cache substituter. It corresponds to `curl`’s `--connect-timeout`
|
|
||||||
option.
|
|
||||||
|
|
||||||
- `cores`
|
|
||||||
Sets the value of the `NIX_BUILD_CORES` environment variable in the
|
|
||||||
invocation of builders. Builders can use this variable at their
|
|
||||||
discretion to control the maximum amount of parallelism. For
|
|
||||||
instance, in Nixpkgs, if the derivation attribute
|
|
||||||
`enableParallelBuilding` is set to `true`, the builder passes the
|
|
||||||
`-jN` flag to GNU Make. It can be overridden using the `--cores`
|
|
||||||
command line switch and defaults to `1`. The value `0` means that
|
|
||||||
the builder should use all available CPU cores in the system.
|
|
||||||
|
|
||||||
- `diff-hook`
|
|
||||||
Absolute path to an executable capable of diffing build
|
|
||||||
results. The hook is executed if `run-diff-hook` is true, and the
|
|
||||||
output of a build is known to not be the same. This program is not
|
|
||||||
executed to determine if two results are the same.
|
|
||||||
|
|
||||||
The diff hook is executed by the same user and group who ran the
|
|
||||||
build. However, the diff hook does not have write access to the
|
|
||||||
store path just built.
|
|
||||||
|
|
||||||
The diff hook program receives three parameters:
|
|
||||||
|
|
||||||
1. A path to the previous build's results
|
|
||||||
|
|
||||||
2. A path to the current build's results
|
|
||||||
|
|
||||||
3. The path to the build's derivation
|
|
||||||
|
|
||||||
4. The path to the build's scratch directory. This directory will
|
|
||||||
exist only if the build was run with `--keep-failed`.
|
|
||||||
|
|
||||||
The stderr and stdout output from the diff hook will not be
|
|
||||||
displayed to the user. Instead, it will print to the nix-daemon's
|
|
||||||
log.
|
|
||||||
|
|
||||||
When using the Nix daemon, `diff-hook` must be set in the `nix.conf`
|
|
||||||
configuration file, and cannot be passed at the command line.
|
|
||||||
|
|
||||||
- `enforce-determinism`
|
|
||||||
See `repeat`.
|
|
||||||
|
|
||||||
- `extra-sandbox-paths`
|
|
||||||
A list of additional paths appended to `sandbox-paths`. Useful if
|
|
||||||
you want to extend its default value.
|
|
||||||
|
|
||||||
- `extra-platforms`
|
|
||||||
Platforms other than the native one which this machine is capable of
|
|
||||||
building for. This can be useful for supporting additional
|
|
||||||
architectures on compatible machines: i686-linux can be built on
|
|
||||||
x86\_64-linux machines (and the default for this setting reflects
|
|
||||||
this); armv7 is backwards-compatible with armv6 and armv5tel; some
|
|
||||||
aarch64 machines can also natively run 32-bit ARM code; and
|
|
||||||
qemu-user may be used to support non-native platforms (though this
|
|
||||||
may be slow and buggy). Most values for this are not enabled by
|
|
||||||
default because build systems will often misdetect the target
|
|
||||||
platform and generate incompatible code, so you may wish to
|
|
||||||
cross-check the results of using this option against proper
|
|
||||||
natively-built versions of your derivations.
|
|
||||||
|
|
||||||
- `extra-substituters`
|
|
||||||
Additional binary caches appended to those specified in
|
|
||||||
`substituters`. When used by unprivileged users, untrusted
|
|
||||||
substituters (i.e. those not listed in `trusted-substituters`) are
|
|
||||||
silently ignored.
|
|
||||||
|
|
||||||
- `fallback`
|
|
||||||
If set to `true`, Nix will fall back to building from source if a
|
|
||||||
binary substitute fails. This is equivalent to the `--fallback`
|
|
||||||
flag. The default is `false`.
|
|
||||||
|
|
||||||
- `fsync-metadata`
|
|
||||||
If set to `true`, changes to the Nix store metadata (in
|
|
||||||
`/nix/var/nix/db`) are synchronously flushed to disk. This improves
|
|
||||||
robustness in case of system crashes, but reduces performance. The
|
|
||||||
default is `true`.
|
|
||||||
|
|
||||||
- `hashed-mirrors`
|
|
||||||
A list of web servers used by `builtins.fetchurl` to obtain files by
|
|
||||||
hash. The default is `http://tarballs.nixos.org/`. Given a hash type
|
|
||||||
*ht* and a base-16 hash *h*, Nix will try to download the file from
|
|
||||||
*hashed-mirror*/*ht*/*h*. This allows files to be downloaded even if
|
|
||||||
they have disappeared from their original URI. For example, given
|
|
||||||
the default mirror `http://tarballs.nixos.org/`, when building the
|
|
||||||
derivation
|
|
||||||
|
|
||||||
```nix
|
|
||||||
builtins.fetchurl {
|
|
||||||
url = "https://example.org/foo-1.2.3.tar.xz";
|
|
||||||
sha256 = "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae";
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
Nix will attempt to download this file from
|
|
||||||
`http://tarballs.nixos.org/sha256/2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae`
|
|
||||||
first. If it is not available there, if will try the original URI.
|
|
||||||
|
|
||||||
- `http-connections`
|
|
||||||
The maximum number of parallel TCP connections used to fetch files
|
|
||||||
from binary caches and by other downloads. It defaults to 25. 0
|
|
||||||
means no limit.
|
|
||||||
|
|
||||||
- `keep-build-log`
|
|
||||||
If set to `true` (the default), Nix will write the build log of a
|
|
||||||
derivation (i.e. the standard output and error of its builder) to
|
|
||||||
the directory `/nix/var/log/nix/drvs`. The build log can be
|
|
||||||
retrieved using the command `nix-store -l path`.
|
|
||||||
|
|
||||||
- `keep-derivations`
|
|
||||||
If `true` (default), the garbage collector will keep the derivations
|
|
||||||
from which non-garbage store paths were built. If `false`, they will
|
|
||||||
be deleted unless explicitly registered as a root (or reachable from
|
|
||||||
other roots).
|
|
||||||
|
|
||||||
Keeping derivation around is useful for querying and traceability
|
|
||||||
(e.g., it allows you to ask with what dependencies or options a
|
|
||||||
store path was built), so by default this option is on. Turn it off
|
|
||||||
to save a bit of disk space (or a lot if `keep-outputs` is also
|
|
||||||
turned on).
|
|
||||||
|
|
||||||
- `keep-env-derivations`
|
|
||||||
If `false` (default), derivations are not stored in Nix user
|
|
||||||
environments. That is, the derivations of any build-time-only
|
|
||||||
dependencies may be garbage-collected.
|
|
||||||
|
|
||||||
If `true`, when you add a Nix derivation to a user environment, the
|
|
||||||
path of the derivation is stored in the user environment. Thus, the
|
|
||||||
derivation will not be garbage-collected until the user environment
|
|
||||||
generation is deleted (`nix-env --delete-generations`). To prevent
|
|
||||||
build-time-only dependencies from being collected, you should also
|
|
||||||
turn on `keep-outputs`.
|
|
||||||
|
|
||||||
The difference between this option and `keep-derivations` is that
|
|
||||||
this one is “sticky”: it applies to any user environment created
|
|
||||||
while this option was enabled, while `keep-derivations` only applies
|
|
||||||
at the moment the garbage collector is run.
|
|
||||||
|
|
||||||
- `keep-outputs`
|
|
||||||
If `true`, the garbage collector will keep the outputs of
|
|
||||||
non-garbage derivations. If `false` (default), outputs will be
|
|
||||||
deleted unless they are GC roots themselves (or reachable from other
|
|
||||||
roots).
|
|
||||||
|
|
||||||
In general, outputs must be registered as roots separately. However,
|
|
||||||
even if the output of a derivation is registered as a root, the
|
|
||||||
collector will still delete store paths that are used only at build
|
|
||||||
time (e.g., the C compiler, or source tarballs downloaded from the
|
|
||||||
network). To prevent it from doing so, set this option to `true`.
|
|
||||||
|
|
||||||
- `max-build-log-size`
|
|
||||||
This option defines the maximum number of bytes that a builder can
|
|
||||||
write to its stdout/stderr. If the builder exceeds this limit, it’s
|
|
||||||
killed. A value of `0` (the default) means that there is no limit.
|
|
||||||
|
|
||||||
- `max-free`
|
|
||||||
When a garbage collection is triggered by the `min-free` option, it
|
|
||||||
stops as soon as `max-free` bytes are available. The default is
|
|
||||||
infinity (i.e. delete all garbage).
|
|
||||||
|
|
||||||
- `max-jobs`
|
|
||||||
This option defines the maximum number of jobs that Nix will try to
|
|
||||||
build in parallel. The default is `1`. The special value `auto`
|
|
||||||
causes Nix to use the number of CPUs in your system. `0` is useful
|
|
||||||
when using remote builders to prevent any local builds (except for
|
|
||||||
`preferLocalBuild` derivation attribute which executes locally
|
|
||||||
regardless). It can be overridden using the `--max-jobs` (`-j`)
|
|
||||||
command line switch.
|
|
||||||
|
|
||||||
- `max-silent-time`
|
|
||||||
This option defines the maximum number of seconds that a builder can
|
|
||||||
go without producing any data on standard output or standard error.
|
|
||||||
This is useful (for instance in an automated build system) to catch
|
|
||||||
builds that are stuck in an infinite loop, or to catch remote builds
|
|
||||||
that are hanging due to network problems. It can be overridden using
|
|
||||||
the `--max-silent-time` command line switch.
|
|
||||||
|
|
||||||
The value `0` means that there is no timeout. This is also the
|
|
||||||
default.
|
|
||||||
|
|
||||||
- `min-free`
|
|
||||||
When free disk space in `/nix/store` drops below `min-free` during a
|
|
||||||
build, Nix performs a garbage-collection until `max-free` bytes are
|
|
||||||
available or there is no more garbage. A value of `0` (the default)
|
|
||||||
disables this feature.
|
|
||||||
|
|
||||||
- `narinfo-cache-negative-ttl`
|
|
||||||
The TTL in seconds for negative lookups. If a store path is queried
|
|
||||||
from a substituter but was not found, there will be a negative
|
|
||||||
lookup cached in the local disk cache database for the specified
|
|
||||||
duration.
|
|
||||||
|
|
||||||
- `narinfo-cache-positive-ttl`
|
|
||||||
The TTL in seconds for positive lookups. If a store path is queried
|
|
||||||
from a substituter, the result of the query will be cached in the
|
|
||||||
local disk cache database including some of the NAR metadata. The
|
|
||||||
default TTL is a month, setting a shorter TTL for positive lookups
|
|
||||||
can be useful for binary caches that have frequent garbage
|
|
||||||
collection, in which case having a more frequent cache invalidation
|
|
||||||
would prevent trying to pull the path again and failing with a hash
|
|
||||||
mismatch if the build isn't reproducible.
|
|
||||||
|
|
||||||
- `netrc-file`
|
|
||||||
If set to an absolute path to a `netrc` file, Nix will use the HTTP
|
|
||||||
authentication credentials in this file when trying to download from
|
|
||||||
a remote host through HTTP or HTTPS. Defaults to
|
|
||||||
`$NIX_CONF_DIR/netrc`.
|
|
||||||
|
|
||||||
The `netrc` file consists of a list of accounts in the following
|
|
||||||
format:
|
|
||||||
|
|
||||||
machine my-machine
|
|
||||||
login my-username
|
|
||||||
password my-password
|
|
||||||
|
|
||||||
For the exact syntax, see [the `curl`
|
|
||||||
documentation](https://ec.haxx.se/usingcurl-netrc.html).
|
|
||||||
|
|
||||||
> **Note**
|
|
||||||
>
|
|
||||||
> This must be an absolute path, and `~` is not resolved. For
|
|
||||||
> example, `~/.netrc` won't resolve to your home directory's
|
|
||||||
> `.netrc`.
|
|
||||||
|
|
||||||
- `plugin-files`
|
|
||||||
A list of plugin files to be loaded by Nix. Each of these files will
|
|
||||||
be dlopened by Nix, allowing them to affect execution through static
|
|
||||||
initialization. In particular, these plugins may construct static
|
|
||||||
instances of RegisterPrimOp to add new primops or constants to the
|
|
||||||
expression language, RegisterStoreImplementation to add new store
|
|
||||||
implementations, RegisterCommand to add new subcommands to the `nix`
|
|
||||||
command, and RegisterSetting to add new nix config settings. See the
|
|
||||||
constructors for those types for more details.
|
|
||||||
|
|
||||||
Since these files are loaded into the same address space as Nix
|
|
||||||
itself, they must be DSOs compatible with the instance of Nix
|
|
||||||
running at the time (i.e. compiled against the same headers, not
|
|
||||||
linked to any incompatible libraries). They should not be linked to
|
|
||||||
any Nix libs directly, as those will be available already at load
|
|
||||||
time.
|
|
||||||
|
|
||||||
If an entry in the list is a directory, all files in the directory
|
|
||||||
are loaded as plugins (non-recursively).
|
|
||||||
|
|
||||||
- `pre-build-hook`
|
|
||||||
If set, the path to a program that can set extra derivation-specific
|
|
||||||
settings for this system. This is used for settings that can't be
|
|
||||||
captured by the derivation model itself and are too variable between
|
|
||||||
different versions of the same system to be hard-coded into nix.
|
|
||||||
|
|
||||||
The hook is passed the derivation path and, if sandboxes are
|
|
||||||
enabled, the sandbox directory. It can then modify the sandbox and
|
|
||||||
send a series of commands to modify various settings to stdout. The
|
|
||||||
currently recognized commands are:
|
|
||||||
|
|
||||||
- `extra-sandbox-paths`
|
|
||||||
Pass a list of files and directories to be included in the
|
|
||||||
sandbox for this build. One entry per line, terminated by an
|
|
||||||
empty line. Entries have the same format as `sandbox-paths`.
|
|
||||||
|
|
||||||
- `post-build-hook`
|
|
||||||
Optional. The path to a program to execute after each build.
|
|
||||||
|
|
||||||
This option is only settable in the global `nix.conf`, or on the
|
|
||||||
command line by trusted users.
|
|
||||||
|
|
||||||
When using the nix-daemon, the daemon executes the hook as `root`.
|
|
||||||
If the nix-daemon is not involved, the hook runs as the user
|
|
||||||
executing the nix-build.
|
|
||||||
|
|
||||||
- The hook executes after an evaluation-time build.
|
|
||||||
|
|
||||||
- The hook does not execute on substituted paths.
|
|
||||||
|
|
||||||
- The hook's output always goes to the user's terminal.
|
|
||||||
|
|
||||||
- If the hook fails, the build succeeds but no further builds
|
|
||||||
execute.
|
|
||||||
|
|
||||||
- The hook executes synchronously, and blocks other builds from
|
|
||||||
progressing while it runs.
|
|
||||||
|
|
||||||
The program executes with no arguments. The program's environment
|
|
||||||
contains the following environment variables:
|
|
||||||
|
|
||||||
- `DRV_PATH`
|
|
||||||
The derivation for the built paths.
|
|
||||||
|
|
||||||
Example:
|
|
||||||
`/nix/store/5nihn1a7pa8b25l9zafqaqibznlvvp3f-bash-4.4-p23.drv`
|
|
||||||
|
|
||||||
- `OUT_PATHS`
|
|
||||||
Output paths of the built derivation, separated by a space
|
|
||||||
character.
|
|
||||||
|
|
||||||
Example:
|
|
||||||
`/nix/store/zf5lbh336mnzf1nlswdn11g4n2m8zh3g-bash-4.4-p23-dev
|
|
||||||
/nix/store/rjxwxwv1fpn9wa2x5ssk5phzwlcv4mna-bash-4.4-p23-doc
|
|
||||||
/nix/store/6bqvbzjkcp9695dq0dpl5y43nvy37pq1-bash-4.4-p23-info
|
|
||||||
/nix/store/r7fng3kk3vlpdlh2idnrbn37vh4imlj2-bash-4.4-p23-man
|
|
||||||
/nix/store/xfghy8ixrhz3kyy6p724iv3cxji088dx-bash-4.4-p23`.
|
|
||||||
|
|
||||||
- `repeat`
|
|
||||||
How many times to repeat builds to check whether they are
|
|
||||||
deterministic. The default value is 0. If the value is non-zero,
|
|
||||||
every build is repeated the specified number of times. If the
|
|
||||||
contents of any of the runs differs from the previous ones and
|
|
||||||
`enforce-determinism` is true, the build is rejected and the
|
|
||||||
resulting store paths are not registered as “valid” in Nix’s
|
|
||||||
database.
|
|
||||||
|
|
||||||
- `require-sigs`
|
|
||||||
If set to `true` (the default), any non-content-addressed path added
|
|
||||||
or copied to the Nix store (e.g. when substituting from a binary
|
|
||||||
cache) must have a valid signature, that is, be signed using one of
|
|
||||||
the keys listed in `trusted-public-keys` or `secret-key-files`. Set
|
|
||||||
to `false` to disable signature checking.
|
|
||||||
|
|
||||||
- `restrict-eval`
|
|
||||||
If set to `true`, the Nix evaluator will not allow access to any
|
|
||||||
files outside of the Nix search path (as set via the `NIX_PATH`
|
|
||||||
environment variable or the `-I` option), or to URIs outside of
|
|
||||||
`allowed-uri`. The default is `false`.
|
|
||||||
|
|
||||||
- `run-diff-hook`
|
|
||||||
If true, enable the execution of the `diff-hook` program.
|
|
||||||
|
|
||||||
When using the Nix daemon, `run-diff-hook` must be set in the
|
|
||||||
`nix.conf` configuration file, and cannot be passed at the command
|
|
||||||
line.
|
|
||||||
|
|
||||||
- `sandbox`
|
|
||||||
If set to `true`, builds will be performed in a *sandboxed
|
|
||||||
environment*, i.e., they’re isolated from the normal file system
|
|
||||||
hierarchy and will only see their dependencies in the Nix store,
|
|
||||||
the temporary build directory, private versions of `/proc`,
|
|
||||||
`/dev`, `/dev/shm` and `/dev/pts` (on Linux), and the paths
|
|
||||||
configured with the `sandbox-paths` option. This is useful to
|
|
||||||
prevent undeclared dependencies on files in directories such as
|
|
||||||
`/usr/bin`. In addition, on Linux, builds run in private PID,
|
|
||||||
mount, network, IPC and UTS namespaces to isolate them from other
|
|
||||||
processes in the system (except that fixed-output derivations do
|
|
||||||
not run in private network namespace to ensure they can access the
|
|
||||||
network).
|
|
||||||
|
|
||||||
Currently, sandboxing only work on Linux and macOS. The use of a
|
|
||||||
sandbox requires that Nix is run as root (so you should use the
|
|
||||||
“build users” feature to perform the actual builds under different
|
|
||||||
users than root).
|
|
||||||
|
|
||||||
If this option is set to `relaxed`, then fixed-output derivations
|
|
||||||
and derivations that have the `__noChroot` attribute set to `true`
|
|
||||||
do not run in sandboxes.
|
|
||||||
|
|
||||||
The default is `true` on Linux and `false` on all other platforms.
|
|
||||||
|
|
||||||
- `sandbox-dev-shm-size`
|
|
||||||
This option determines the maximum size of the `tmpfs` filesystem
|
|
||||||
mounted on `/dev/shm` in Linux sandboxes. For the format, see the
|
|
||||||
description of the `size` option of `tmpfs` in mount8. The default
|
|
||||||
is `50%`.
|
|
||||||
|
|
||||||
- `sandbox-paths`
|
|
||||||
A list of paths bind-mounted into Nix sandbox environments. You can
|
|
||||||
use the syntax `target=source` to mount a path in a different
|
|
||||||
location in the sandbox; for instance, `/bin=/nix-bin` will mount
|
|
||||||
the path `/nix-bin` as `/bin` inside the sandbox. If *source* is
|
|
||||||
followed by `?`, then it is not an error if *source* does not exist;
|
|
||||||
for example, `/dev/nvidiactl?` specifies that `/dev/nvidiactl` will
|
|
||||||
only be mounted in the sandbox if it exists in the host filesystem.
|
|
||||||
|
|
||||||
Depending on how Nix was built, the default value for this option
|
|
||||||
may be empty or provide `/bin/sh` as a bind-mount of `bash`.
|
|
||||||
|
|
||||||
- `secret-key-files`
|
|
||||||
A whitespace-separated list of files containing secret (private)
|
|
||||||
keys. These are used to sign locally-built paths. They can be
|
|
||||||
generated using `nix-store --generate-binary-cache-key`. The
|
|
||||||
corresponding public key can be distributed to other users, who
|
|
||||||
can add it to `trusted-public-keys` in their `nix.conf`.
|
|
||||||
|
|
||||||
- `show-trace`
|
|
||||||
Causes Nix to print out a stack trace in case of Nix expression
|
|
||||||
evaluation errors.
|
|
||||||
|
|
||||||
- `substitute`
|
|
||||||
If set to `true` (default), Nix will use binary substitutes if
|
|
||||||
available. This option can be disabled to force building from
|
|
||||||
source.
|
|
||||||
|
|
||||||
- `stalled-download-timeout`
|
|
||||||
The timeout (in seconds) for receiving data from servers during
|
|
||||||
download. Nix cancels idle downloads after this timeout's duration.
|
|
||||||
|
|
||||||
- `substituters`
|
|
||||||
A list of URLs of substituters, separated by whitespace. The default
|
|
||||||
is `https://cache.nixos.org`.
|
|
||||||
|
|
||||||
- `system`
|
|
||||||
This option specifies the canonical Nix system name of the current
|
|
||||||
installation, such as `i686-linux` or `x86_64-darwin`. Nix can only
|
|
||||||
build derivations whose `system` attribute equals the value
|
|
||||||
specified here. In general, it never makes sense to modify this
|
|
||||||
value from its default, since you can use it to ‘lie’ about the
|
|
||||||
platform you are building on (e.g., perform a Mac OS build on a
|
|
||||||
Linux machine; the result would obviously be wrong). It only makes
|
|
||||||
sense if the Nix binaries can run on multiple platforms, e.g.,
|
|
||||||
‘universal binaries’ that run on `x86_64-linux` and `i686-linux`.
|
|
||||||
|
|
||||||
It defaults to the canonical Nix system name detected by `configure`
|
|
||||||
at build time.
|
|
||||||
|
|
||||||
- `system-features`
|
|
||||||
A set of system “features” supported by this machine, e.g. `kvm`.
|
|
||||||
Derivations can express a dependency on such features through the
|
|
||||||
derivation attribute `requiredSystemFeatures`. For example, the
|
|
||||||
attribute
|
|
||||||
|
|
||||||
requiredSystemFeatures = [ "kvm" ];
|
|
||||||
|
|
||||||
ensures that the derivation can only be built on a machine with the
|
|
||||||
`kvm` feature.
|
|
||||||
|
|
||||||
This setting by default includes `kvm` if `/dev/kvm` is accessible,
|
|
||||||
and the pseudo-features `nixos-test`, `benchmark` and `big-parallel`
|
|
||||||
that are used in Nixpkgs to route builds to specific machines.
|
|
||||||
|
|
||||||
- `tarball-ttl`
|
|
||||||
Default: `3600` seconds.
|
|
||||||
|
|
||||||
The number of seconds a downloaded tarball is considered fresh. If
|
|
||||||
the cached tarball is stale, Nix will check whether it is still up
|
|
||||||
to date using the ETag header. Nix will download a new version if
|
|
||||||
the ETag header is unsupported, or the cached ETag doesn't match.
|
|
||||||
|
|
||||||
Setting the TTL to `0` forces Nix to always check if the tarball is
|
|
||||||
up to date.
|
|
||||||
|
|
||||||
Nix caches tarballs in `$XDG_CACHE_HOME/nix/tarballs`.
|
|
||||||
|
|
||||||
Files fetched via `NIX_PATH`, `fetchGit`, `fetchMercurial`,
|
|
||||||
`fetchTarball`, and `fetchurl` respect this TTL.
|
|
||||||
|
|
||||||
- `timeout`
|
|
||||||
This option defines the maximum number of seconds that a builder can
|
|
||||||
run. This is useful (for instance in an automated build system) to
|
|
||||||
catch builds that are stuck in an infinite loop but keep writing to
|
|
||||||
their standard output or standard error. It can be overridden using
|
|
||||||
the `--timeout` command line switch.
|
|
||||||
|
|
||||||
The value `0` means that there is no timeout. This is also the
|
|
||||||
default.
|
|
||||||
|
|
||||||
- `trace-function-calls`
|
|
||||||
Default: `false`.
|
|
||||||
|
|
||||||
If set to `true`, the Nix evaluator will trace every function call.
|
|
||||||
Nix will print a log message at the "vomit" level for every function
|
|
||||||
entrance and function exit.
|
|
||||||
|
|
||||||
function-trace entered undefined position at 1565795816999559622
|
|
||||||
function-trace exited undefined position at 1565795816999581277
|
|
||||||
function-trace entered /nix/store/.../example.nix:226:41 at 1565795253249935150
|
|
||||||
function-trace exited /nix/store/.../example.nix:226:41 at 1565795253249941684
|
|
||||||
|
|
||||||
The `undefined position` means the function call is a builtin.
|
|
||||||
|
|
||||||
Use the `contrib/stack-collapse.py` script distributed with the Nix
|
|
||||||
source code to convert the trace logs in to a format suitable for
|
|
||||||
`flamegraph.pl`.
|
|
||||||
|
|
||||||
- `trusted-public-keys`
|
|
||||||
A whitespace-separated list of public keys. When paths are copied
|
|
||||||
from another Nix store (such as a binary cache), they must be
|
|
||||||
signed with one of these keys. For example:
|
|
||||||
`cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
|
|
||||||
hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=`.
|
|
||||||
|
|
||||||
- `trusted-substituters`
|
|
||||||
A list of URLs of substituters, separated by whitespace. These are
|
|
||||||
not used by default, but can be enabled by users of the Nix daemon
|
|
||||||
by specifying `--option substituters urls` on the command
|
|
||||||
line. Unprivileged users are only allowed to pass a subset of the
|
|
||||||
URLs listed in `substituters` and `trusted-substituters`.
|
|
||||||
|
|
||||||
- `trusted-users`
|
|
||||||
A list of names of users (separated by whitespace) that have
|
|
||||||
additional rights when connecting to the Nix daemon, such as the
|
|
||||||
ability to specify additional binary caches, or to import unsigned
|
|
||||||
NARs. You can also specify groups by prefixing them with `@`; for
|
|
||||||
instance, `@wheel` means all users in the `wheel` group. The default
|
|
||||||
is `root`.
|
|
||||||
|
|
||||||
> **Warning**
|
|
||||||
>
|
|
||||||
> Adding a user to `trusted-users` is essentially equivalent to
|
|
||||||
> giving that user root access to the system. For example, the user
|
|
||||||
> can set `sandbox-paths` and thereby obtain read access to
|
|
||||||
> directories that are otherwise inacessible to them.
|
|
||||||
|
|
||||||
## Deprecated Settings
|
|
||||||
|
|
||||||
- `binary-caches`
|
|
||||||
*Deprecated:* `binary-caches` is now an alias to `substituters`.
|
|
||||||
|
|
||||||
- `binary-cache-public-keys`
|
|
||||||
*Deprecated:* `binary-cache-public-keys` is now an alias `trusted-public-keys`.
|
|
||||||
|
|
||||||
- `build-compress-log`
|
|
||||||
*Deprecated:* `build-compress-log` is now an alias to `compress-build-log`.
|
|
||||||
|
|
||||||
- `build-cores`
|
|
||||||
*Deprecated:* `build-cores` is now an alias to `cores`.
|
|
||||||
|
|
||||||
- `build-extra-chroot-dirs`
|
|
||||||
*Deprecated:* `build-extra-chroot-dirs` is now an alias to `extra-sandbox-paths`.
|
|
||||||
|
|
||||||
- `build-extra-sandbox-paths`
|
|
||||||
*Deprecated:* `build-extra-sandbox-paths` is now an alias to `extra-sandbox-paths`.
|
|
||||||
|
|
||||||
- `build-fallback`
|
|
||||||
*Deprecated:* `build-fallback` is now an alias to `fallback`.
|
|
||||||
|
|
||||||
- `build-max-jobs`
|
|
||||||
*Deprecated:* `build-max-jobs` is now an alias to `max-jobs`.
|
|
||||||
|
|
||||||
- `build-max-log-size`
|
|
||||||
*Deprecated:* `build-max-log-size` is now an alias to `max-build-log-size`.
|
|
||||||
|
|
||||||
- `build-max-silent-time`
|
|
||||||
*Deprecated:* `build-max-silent-time` is now an alias to `max-silent-time`.
|
|
||||||
|
|
||||||
- `build-repeat`
|
|
||||||
*Deprecated:* `build-repeat` is now an alias to `repeat`.
|
|
||||||
|
|
||||||
- `build-timeout`
|
|
||||||
*Deprecated:* `build-timeout` is now an alias to `timeout`.
|
|
||||||
|
|
||||||
- `build-use-chroot`
|
|
||||||
*Deprecated:* `build-use-chroot` is now an alias to `sandbox`.
|
|
||||||
|
|
||||||
- `build-use-sandbox`
|
|
||||||
*Deprecated:* `build-use-sandbox` is now an alias to `sandbox`.
|
|
||||||
|
|
||||||
- `build-use-substitutes`
|
|
||||||
*Deprecated:* `build-use-substitutes` is now an alias to `substitute`.
|
|
||||||
|
|
||||||
- `gc-keep-derivations`
|
|
||||||
*Deprecated:* `gc-keep-derivations` is now an alias to `keep-derivations`.
|
|
||||||
|
|
||||||
- `gc-keep-outputs`
|
|
||||||
*Deprecated:* `gc-keep-outputs` is now an alias to `keep-outputs`.
|
|
||||||
|
|
||||||
- `env-keep-derivations`
|
|
||||||
*Deprecated:* `env-keep-derivations` is now an alias to `keep-env-derivations`.
|
|
||||||
|
|
||||||
- `extra-binary-caches`
|
|
||||||
*Deprecated:* `extra-binary-caches` is now an alias to `extra-substituters`.
|
|
||||||
|
|
||||||
- `trusted-binary-caches`
|
|
||||||
*Deprecated:* `trusted-binary-caches` is now an alias to `trusted-substituters`.
|
|
|
@ -357,24 +357,57 @@ struct EvalSettings : Config
|
||||||
Setting<bool> enableNativeCode{this, false, "allow-unsafe-native-code-during-evaluation",
|
Setting<bool> enableNativeCode{this, false, "allow-unsafe-native-code-during-evaluation",
|
||||||
"Whether builtin functions that allow executing native code should be enabled."};
|
"Whether builtin functions that allow executing native code should be enabled."};
|
||||||
|
|
||||||
Setting<Strings> nixPath{this, getDefaultNixPath(), "nix-path",
|
Setting<Strings> nixPath{
|
||||||
"List of directories to be searched for <...> file references."};
|
this, getDefaultNixPath(), "nix-path",
|
||||||
|
"List of directories to be searched for `<...>` file references."};
|
||||||
|
|
||||||
Setting<bool> restrictEval{this, false, "restrict-eval",
|
Setting<bool> restrictEval{
|
||||||
"Whether to restrict file system access to paths in $NIX_PATH, "
|
this, false, "restrict-eval",
|
||||||
"and network access to the URI prefixes listed in 'allowed-uris'."};
|
R"(
|
||||||
|
If set to `true`, the Nix evaluator will not allow access to any
|
||||||
|
files outside of the Nix search path (as set via the `NIX_PATH`
|
||||||
|
environment variable or the `-I` option), or to URIs outside of
|
||||||
|
`allowed-uri`. The default is `false`.
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<bool> pureEval{this, false, "pure-eval",
|
Setting<bool> pureEval{this, false, "pure-eval",
|
||||||
"Whether to restrict file system and network access to files specified by cryptographic hash."};
|
"Whether to restrict file system and network access to files specified by cryptographic hash."};
|
||||||
|
|
||||||
Setting<bool> enableImportFromDerivation{this, true, "allow-import-from-derivation",
|
Setting<bool> enableImportFromDerivation{
|
||||||
"Whether the evaluator allows importing the result of a derivation."};
|
this, true, "allow-import-from-derivation",
|
||||||
|
R"(
|
||||||
|
By default, Nix allows you to `import` from a derivation, allowing
|
||||||
|
building at evaluation time. With this option set to false, Nix will
|
||||||
|
throw an error when evaluating an expression that uses this feature,
|
||||||
|
allowing users to ensure their evaluation will not require any
|
||||||
|
builds to take place.
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<Strings> allowedUris{this, {}, "allowed-uris",
|
Setting<Strings> allowedUris{this, {}, "allowed-uris",
|
||||||
"Prefixes of URIs that builtin functions such as fetchurl and fetchGit are allowed to fetch."};
|
R"(
|
||||||
|
A list of URI prefixes to which access is allowed in restricted
|
||||||
|
evaluation mode. For example, when set to
|
||||||
|
`https://github.com/NixOS`, builtin functions such as `fetchGit` are
|
||||||
|
allowed to access `https://github.com/NixOS/patchelf.git`.
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<bool> traceFunctionCalls{this, false, "trace-function-calls",
|
Setting<bool> traceFunctionCalls{this, false, "trace-function-calls",
|
||||||
"Emit log messages for each function entry and exit at the 'vomit' log level (-vvvv)."};
|
R"(
|
||||||
|
If set to `true`, the Nix evaluator will trace every function call.
|
||||||
|
Nix will print a log message at the "vomit" level for every function
|
||||||
|
entrance and function exit.
|
||||||
|
|
||||||
|
function-trace entered undefined position at 1565795816999559622
|
||||||
|
function-trace exited undefined position at 1565795816999581277
|
||||||
|
function-trace entered /nix/store/.../example.nix:226:41 at 1565795253249935150
|
||||||
|
function-trace exited /nix/store/.../example.nix:226:41 at 1565795253249941684
|
||||||
|
|
||||||
|
The `undefined position` means the function call is a builtin.
|
||||||
|
|
||||||
|
Use the `contrib/stack-collapse.py` script distributed with the Nix
|
||||||
|
source code to convert the trace logs in to a format suitable for
|
||||||
|
`flamegraph.pl`.
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<bool> useEvalCache{this, true, "eval-cache",
|
Setting<bool> useEvalCache{this, true, "eval-cache",
|
||||||
"Whether to use the flake evaluation cache."};
|
"Whether to use the flake evaluation cache."};
|
||||||
|
|
|
@ -17,15 +17,30 @@ struct FileTransferSettings : Config
|
||||||
Setting<std::string> userAgentSuffix{this, "", "user-agent-suffix",
|
Setting<std::string> userAgentSuffix{this, "", "user-agent-suffix",
|
||||||
"String appended to the user agent in HTTP requests."};
|
"String appended to the user agent in HTTP requests."};
|
||||||
|
|
||||||
Setting<size_t> httpConnections{this, 25, "http-connections",
|
Setting<size_t> httpConnections{
|
||||||
"Number of parallel HTTP connections.",
|
this, 25, "http-connections",
|
||||||
|
R"(
|
||||||
|
The maximum number of parallel TCP connections used to fetch
|
||||||
|
files from binary caches and by other downloads. It defaults
|
||||||
|
to 25. 0 means no limit.
|
||||||
|
)",
|
||||||
{"binary-caches-parallel-connections"}};
|
{"binary-caches-parallel-connections"}};
|
||||||
|
|
||||||
Setting<unsigned long> connectTimeout{this, 0, "connect-timeout",
|
Setting<unsigned long> connectTimeout{
|
||||||
"Timeout for connecting to servers during downloads. 0 means use curl's builtin default."};
|
this, 0, "connect-timeout",
|
||||||
|
R"(
|
||||||
|
The timeout (in seconds) for establishing connections in the
|
||||||
|
binary cache substituter. It corresponds to `curl`’s
|
||||||
|
`--connect-timeout` option.
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<unsigned long> stalledDownloadTimeout{this, 300, "stalled-download-timeout",
|
Setting<unsigned long> stalledDownloadTimeout{
|
||||||
"Timeout (in seconds) for receiving data from servers during download. Nix cancels idle downloads after this timeout's duration."};
|
this, 300, "stalled-download-timeout",
|
||||||
|
R"(
|
||||||
|
The timeout (in seconds) for receiving data from servers
|
||||||
|
during download. Nix cancels idle downloads after this
|
||||||
|
timeout's duration.
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<unsigned int> tries{this, 5, "download-attempts",
|
Setting<unsigned int> tries{this, 5, "download-attempts",
|
||||||
"How often Nix will attempt to download a file before giving up."};
|
"How often Nix will attempt to download a file before giving up."};
|
||||||
|
|
|
@ -80,89 +80,209 @@ public:
|
||||||
Setting<bool> keepGoing{this, false, "keep-going",
|
Setting<bool> keepGoing{this, false, "keep-going",
|
||||||
"Whether to keep building derivations when another build fails."};
|
"Whether to keep building derivations when another build fails."};
|
||||||
|
|
||||||
Setting<bool> tryFallback{this, false, "fallback",
|
Setting<bool> tryFallback{
|
||||||
"Whether to fall back to building when substitution fails.",
|
this, false, "fallback",
|
||||||
|
R"(
|
||||||
|
If set to `true`, Nix will fall back to building from source if a
|
||||||
|
binary substitute fails. This is equivalent to the `--fallback`
|
||||||
|
flag. The default is `false`.
|
||||||
|
)",
|
||||||
{"build-fallback"}};
|
{"build-fallback"}};
|
||||||
|
|
||||||
/* Whether to show build log output in real time. */
|
/* Whether to show build log output in real time. */
|
||||||
bool verboseBuild = true;
|
bool verboseBuild = true;
|
||||||
|
|
||||||
Setting<size_t> logLines{this, 10, "log-lines",
|
Setting<size_t> logLines{this, 10, "log-lines",
|
||||||
"If verbose-build is false, the number of lines of the tail of "
|
"If `verbose-build` is false, the number of lines of the tail of "
|
||||||
"the log to show if a build fails."};
|
"the log to show if a build fails."};
|
||||||
|
|
||||||
MaxBuildJobsSetting maxBuildJobs{this, 1, "max-jobs",
|
MaxBuildJobsSetting maxBuildJobs{
|
||||||
"Maximum number of parallel build jobs. \"auto\" means use number of cores.",
|
this, 1, "max-jobs",
|
||||||
|
R"(
|
||||||
|
This option defines the maximum number of jobs that Nix will try to
|
||||||
|
build in parallel. The default is `1`. The special value `auto`
|
||||||
|
causes Nix to use the number of CPUs in your system. `0` is useful
|
||||||
|
when using remote builders to prevent any local builds (except for
|
||||||
|
`preferLocalBuild` derivation attribute which executes locally
|
||||||
|
regardless). It can be overridden using the `--max-jobs` (`-j`)
|
||||||
|
command line switch.
|
||||||
|
)",
|
||||||
{"build-max-jobs"}};
|
{"build-max-jobs"}};
|
||||||
|
|
||||||
Setting<unsigned int> buildCores{this, getDefaultCores(), "cores",
|
Setting<unsigned int> buildCores{
|
||||||
"Number of CPU cores to utilize in parallel within a build, "
|
this, getDefaultCores(), "cores",
|
||||||
"i.e. by passing this number to Make via '-j'. 0 means that the "
|
R"(
|
||||||
"number of actual CPU cores on the local host ought to be "
|
Sets the value of the `NIX_BUILD_CORES` environment variable in the
|
||||||
"auto-detected.", {"build-cores"}};
|
invocation of builders. Builders can use this variable at their
|
||||||
|
discretion to control the maximum amount of parallelism. For
|
||||||
|
instance, in Nixpkgs, if the derivation attribute
|
||||||
|
`enableParallelBuilding` is set to `true`, the builder passes the
|
||||||
|
`-jN` flag to GNU Make. It can be overridden using the `--cores`
|
||||||
|
command line switch and defaults to `1`. The value `0` means that
|
||||||
|
the builder should use all available CPU cores in the system.
|
||||||
|
)",
|
||||||
|
{"build-cores"}};
|
||||||
|
|
||||||
/* Read-only mode. Don't copy stuff to the store, don't change
|
/* Read-only mode. Don't copy stuff to the store, don't change
|
||||||
the database. */
|
the database. */
|
||||||
bool readOnlyMode = false;
|
bool readOnlyMode = false;
|
||||||
|
|
||||||
Setting<std::string> thisSystem{this, SYSTEM, "system",
|
Setting<std::string> thisSystem{
|
||||||
"The canonical Nix system name."};
|
this, SYSTEM, "system",
|
||||||
|
R"(
|
||||||
|
This option specifies the canonical Nix system name of the current
|
||||||
|
installation, such as `i686-linux` or `x86_64-darwin`. Nix can only
|
||||||
|
build derivations whose `system` attribute equals the value
|
||||||
|
specified here. In general, it never makes sense to modify this
|
||||||
|
value from its default, since you can use it to ‘lie’ about the
|
||||||
|
platform you are building on (e.g., perform a Mac OS build on a
|
||||||
|
Linux machine; the result would obviously be wrong). It only makes
|
||||||
|
sense if the Nix binaries can run on multiple platforms, e.g.,
|
||||||
|
‘universal binaries’ that run on `x86_64-linux` and `i686-linux`.
|
||||||
|
|
||||||
Setting<time_t> maxSilentTime{this, 0, "max-silent-time",
|
It defaults to the canonical Nix system name detected by `configure`
|
||||||
"The maximum time in seconds that a builer can go without "
|
at build time.
|
||||||
"producing any output on stdout/stderr before it is killed. "
|
)"};
|
||||||
"0 means infinity.",
|
|
||||||
|
Setting<time_t> maxSilentTime{
|
||||||
|
this, 0, "max-silent-time",
|
||||||
|
R"(
|
||||||
|
This option defines the maximum number of seconds that a builder can
|
||||||
|
go without producing any data on standard output or standard error.
|
||||||
|
This is useful (for instance in an automated build system) to catch
|
||||||
|
builds that are stuck in an infinite loop, or to catch remote builds
|
||||||
|
that are hanging due to network problems. It can be overridden using
|
||||||
|
the `--max-silent-time` command line switch.
|
||||||
|
|
||||||
|
The value `0` means that there is no timeout. This is also the
|
||||||
|
default.
|
||||||
|
)",
|
||||||
{"build-max-silent-time"}};
|
{"build-max-silent-time"}};
|
||||||
|
|
||||||
Setting<time_t> buildTimeout{this, 0, "timeout",
|
Setting<time_t> buildTimeout{
|
||||||
"The maximum duration in seconds that a builder can run. "
|
this, 0, "timeout",
|
||||||
"0 means infinity.", {"build-timeout"}};
|
R"(
|
||||||
|
This option defines the maximum number of seconds that a builder can
|
||||||
|
run. This is useful (for instance in an automated build system) to
|
||||||
|
catch builds that are stuck in an infinite loop but keep writing to
|
||||||
|
their standard output or standard error. It can be overridden using
|
||||||
|
the `--timeout` command line switch.
|
||||||
|
|
||||||
|
The value `0` means that there is no timeout. This is also the
|
||||||
|
default.
|
||||||
|
)",
|
||||||
|
{"build-timeout"}};
|
||||||
|
|
||||||
PathSetting buildHook{this, true, nixLibexecDir + "/nix/build-remote", "build-hook",
|
PathSetting buildHook{this, true, nixLibexecDir + "/nix/build-remote", "build-hook",
|
||||||
"The path of the helper program that executes builds to remote machines."};
|
"The path of the helper program that executes builds to remote machines."};
|
||||||
|
|
||||||
Setting<std::string> builders{this, "@" + nixConfDir + "/machines", "builders",
|
Setting<std::string> builders{
|
||||||
"A semicolon-separated list of build machines, in the format of nix.machines."};
|
this, "@" + nixConfDir + "/machines", "builders",
|
||||||
|
"A semicolon-separated list of build machines, in the format of `nix.machines`."};
|
||||||
|
|
||||||
Setting<bool> buildersUseSubstitutes{this, false, "builders-use-substitutes",
|
Setting<bool> buildersUseSubstitutes{
|
||||||
"Whether build machines should use their own substitutes for obtaining "
|
this, false, "builders-use-substitutes",
|
||||||
"build dependencies if possible, rather than waiting for this host to "
|
R"(
|
||||||
"upload them."};
|
If set to `true`, Nix will instruct remote build machines to use
|
||||||
|
their own binary substitutes if available. In practical terms, this
|
||||||
|
means that remote hosts will fetch as many build dependencies as
|
||||||
|
possible from their own substitutes (e.g, from `cache.nixos.org`),
|
||||||
|
instead of waiting for this host to upload them all. This can
|
||||||
|
drastically reduce build times if the network connection between
|
||||||
|
this computer and the remote build host is slow.
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<off_t> reservedSize{this, 8 * 1024 * 1024, "gc-reserved-space",
|
Setting<off_t> reservedSize{this, 8 * 1024 * 1024, "gc-reserved-space",
|
||||||
"Amount of reserved disk space for the garbage collector."};
|
"Amount of reserved disk space for the garbage collector."};
|
||||||
|
|
||||||
Setting<bool> fsyncMetadata{this, true, "fsync-metadata",
|
Setting<bool> fsyncMetadata{
|
||||||
"Whether SQLite should use fsync()."};
|
this, true, "fsync-metadata",
|
||||||
|
R"(
|
||||||
|
If set to `true`, changes to the Nix store metadata (in
|
||||||
|
`/nix/var/nix/db`) are synchronously flushed to disk. This improves
|
||||||
|
robustness in case of system crashes, but reduces performance. The
|
||||||
|
default is `true`.
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<bool> useSQLiteWAL{this, !isWSL1(), "use-sqlite-wal",
|
Setting<bool> useSQLiteWAL{this, !isWSL1(), "use-sqlite-wal",
|
||||||
"Whether SQLite should use WAL mode."};
|
"Whether SQLite should use WAL mode."};
|
||||||
|
|
||||||
Setting<bool> syncBeforeRegistering{this, false, "sync-before-registering",
|
Setting<bool> syncBeforeRegistering{this, false, "sync-before-registering",
|
||||||
"Whether to call sync() before registering a path as valid."};
|
"Whether to call `sync()` before registering a path as valid."};
|
||||||
|
|
||||||
Setting<bool> useSubstitutes{this, true, "substitute",
|
Setting<bool> useSubstitutes{
|
||||||
"Whether to use substitutes.",
|
this, true, "substitute",
|
||||||
|
R"(
|
||||||
|
If set to `true` (default), Nix will use binary substitutes if
|
||||||
|
available. This option can be disabled to force building from
|
||||||
|
source.
|
||||||
|
)",
|
||||||
{"build-use-substitutes"}};
|
{"build-use-substitutes"}};
|
||||||
|
|
||||||
Setting<std::string> buildUsersGroup{this, "", "build-users-group",
|
Setting<std::string> buildUsersGroup{
|
||||||
"The Unix group that contains the build users."};
|
this, "", "build-users-group",
|
||||||
|
R"(
|
||||||
|
This options specifies the Unix group containing the Nix build user
|
||||||
|
accounts. In multi-user Nix installations, builds should not be
|
||||||
|
performed by the Nix account since that would allow users to
|
||||||
|
arbitrarily modify the Nix store and database by supplying specially
|
||||||
|
crafted builders; and they cannot be performed by the calling user
|
||||||
|
since that would allow him/her to influence the build result.
|
||||||
|
|
||||||
|
Therefore, if this option is non-empty and specifies a valid group,
|
||||||
|
builds will be performed under the user accounts that are a member
|
||||||
|
of the group specified here (as listed in `/etc/group`). Those user
|
||||||
|
accounts should not be used for any other purpose\!
|
||||||
|
|
||||||
|
Nix will never run two builds under the same user account at the
|
||||||
|
same time. This is to prevent an obvious security hole: a malicious
|
||||||
|
user writing a Nix expression that modifies the build result of a
|
||||||
|
legitimate Nix expression being built by another user. Therefore it
|
||||||
|
is good to have as many Nix build user accounts as you can spare.
|
||||||
|
(Remember: uids are cheap.)
|
||||||
|
|
||||||
|
The build users should have permission to create files in the Nix
|
||||||
|
store, but not delete them. Therefore, `/nix/store` should be owned
|
||||||
|
by the Nix account, its group should be the group specified here,
|
||||||
|
and its mode should be `1775`.
|
||||||
|
|
||||||
|
If the build users group is empty, builds will be performed under
|
||||||
|
the uid of the Nix process (that is, the uid of the caller if
|
||||||
|
`NIX_REMOTE` is empty, the uid under which the Nix daemon runs if
|
||||||
|
`NIX_REMOTE` is `daemon`). Obviously, this should not be used in
|
||||||
|
multi-user settings with untrusted users.
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<bool> impersonateLinux26{this, false, "impersonate-linux-26",
|
Setting<bool> impersonateLinux26{this, false, "impersonate-linux-26",
|
||||||
"Whether to impersonate a Linux 2.6 machine on newer kernels.",
|
"Whether to impersonate a Linux 2.6 machine on newer kernels.",
|
||||||
{"build-impersonate-linux-26"}};
|
{"build-impersonate-linux-26"}};
|
||||||
|
|
||||||
Setting<bool> keepLog{this, true, "keep-build-log",
|
Setting<bool> keepLog{
|
||||||
"Whether to store build logs.",
|
this, true, "keep-build-log",
|
||||||
|
R"(
|
||||||
|
If set to `true` (the default), Nix will write the build log of a
|
||||||
|
derivation (i.e. the standard output and error of its builder) to
|
||||||
|
the directory `/nix/var/log/nix/drvs`. The build log can be
|
||||||
|
retrieved using the command `nix-store -l path`.
|
||||||
|
)",
|
||||||
{"build-keep-log"}};
|
{"build-keep-log"}};
|
||||||
|
|
||||||
Setting<bool> compressLog{this, true, "compress-build-log",
|
Setting<bool> compressLog{
|
||||||
"Whether to compress logs.",
|
this, true, "compress-build-log",
|
||||||
|
R"(
|
||||||
|
If set to `true` (the default), build logs written to
|
||||||
|
`/nix/var/log/nix/drvs` will be compressed on the fly using bzip2.
|
||||||
|
Otherwise, they will not be compressed.
|
||||||
|
)",
|
||||||
{"build-compress-log"}};
|
{"build-compress-log"}};
|
||||||
|
|
||||||
Setting<unsigned long> maxLogSize{this, 0, "max-build-log-size",
|
Setting<unsigned long> maxLogSize{
|
||||||
"Maximum number of bytes a builder can write to stdout/stderr "
|
this, 0, "max-build-log-size",
|
||||||
"before being killed (0 means no limit).",
|
R"(
|
||||||
|
This option defines the maximum number of bytes that a builder can
|
||||||
|
write to its stdout/stderr. If the builder exceeds this limit, it’s
|
||||||
|
killed. A value of `0` (the default) means that there is no limit.
|
||||||
|
)",
|
||||||
{"build-max-log-size"}};
|
{"build-max-log-size"}};
|
||||||
|
|
||||||
/* When buildRepeat > 0 and verboseBuild == true, whether to print
|
/* When buildRepeat > 0 and verboseBuild == true, whether to print
|
||||||
|
@ -177,53 +297,156 @@ public:
|
||||||
"Whether to check if new GC roots can in fact be found by the "
|
"Whether to check if new GC roots can in fact be found by the "
|
||||||
"garbage collector."};
|
"garbage collector."};
|
||||||
|
|
||||||
Setting<bool> gcKeepOutputs{this, false, "keep-outputs",
|
Setting<bool> gcKeepOutputs{
|
||||||
"Whether the garbage collector should keep outputs of live derivations.",
|
this, false, "keep-outputs",
|
||||||
|
R"(
|
||||||
|
If `true`, the garbage collector will keep the outputs of
|
||||||
|
non-garbage derivations. If `false` (default), outputs will be
|
||||||
|
deleted unless they are GC roots themselves (or reachable from other
|
||||||
|
roots).
|
||||||
|
|
||||||
|
In general, outputs must be registered as roots separately. However,
|
||||||
|
even if the output of a derivation is registered as a root, the
|
||||||
|
collector will still delete store paths that are used only at build
|
||||||
|
time (e.g., the C compiler, or source tarballs downloaded from the
|
||||||
|
network). To prevent it from doing so, set this option to `true`.
|
||||||
|
)",
|
||||||
{"gc-keep-outputs"}};
|
{"gc-keep-outputs"}};
|
||||||
|
|
||||||
Setting<bool> gcKeepDerivations{this, true, "keep-derivations",
|
Setting<bool> gcKeepDerivations{
|
||||||
"Whether the garbage collector should keep derivers of live paths.",
|
this, true, "keep-derivations",
|
||||||
|
R"(
|
||||||
|
If `true` (default), the garbage collector will keep the derivations
|
||||||
|
from which non-garbage store paths were built. If `false`, they will
|
||||||
|
be deleted unless explicitly registered as a root (or reachable from
|
||||||
|
other roots).
|
||||||
|
|
||||||
|
Keeping derivation around is useful for querying and traceability
|
||||||
|
(e.g., it allows you to ask with what dependencies or options a
|
||||||
|
store path was built), so by default this option is on. Turn it off
|
||||||
|
to save a bit of disk space (or a lot if `keep-outputs` is also
|
||||||
|
turned on).
|
||||||
|
)",
|
||||||
{"gc-keep-derivations"}};
|
{"gc-keep-derivations"}};
|
||||||
|
|
||||||
Setting<bool> autoOptimiseStore{this, false, "auto-optimise-store",
|
Setting<bool> autoOptimiseStore{
|
||||||
"Whether to automatically replace files with identical contents with hard links."};
|
this, false, "auto-optimise-store",
|
||||||
|
R"(
|
||||||
|
If set to `true`, Nix automatically detects files in the store
|
||||||
|
that have identical contents, and replaces them with hard links to
|
||||||
|
a single copy. This saves disk space. If set to `false` (the
|
||||||
|
default), you can still run `nix-store --optimise` to get rid of
|
||||||
|
duplicate files.
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<bool> envKeepDerivations{this, false, "keep-env-derivations",
|
Setting<bool> envKeepDerivations{
|
||||||
"Whether to add derivations as a dependency of user environments "
|
this, false, "keep-env-derivations",
|
||||||
"(to prevent them from being GCed).",
|
R"(
|
||||||
|
If `false` (default), derivations are not stored in Nix user
|
||||||
|
environments. That is, the derivations of any build-time-only
|
||||||
|
dependencies may be garbage-collected.
|
||||||
|
|
||||||
|
If `true`, when you add a Nix derivation to a user environment, the
|
||||||
|
path of the derivation is stored in the user environment. Thus, the
|
||||||
|
derivation will not be garbage-collected until the user environment
|
||||||
|
generation is deleted (`nix-env --delete-generations`). To prevent
|
||||||
|
build-time-only dependencies from being collected, you should also
|
||||||
|
turn on `keep-outputs`.
|
||||||
|
|
||||||
|
The difference between this option and `keep-derivations` is that
|
||||||
|
this one is “sticky”: it applies to any user environment created
|
||||||
|
while this option was enabled, while `keep-derivations` only applies
|
||||||
|
at the moment the garbage collector is run.
|
||||||
|
)",
|
||||||
{"env-keep-derivations"}};
|
{"env-keep-derivations"}};
|
||||||
|
|
||||||
/* Whether to lock the Nix client and worker to the same CPU. */
|
/* Whether to lock the Nix client and worker to the same CPU. */
|
||||||
bool lockCPU;
|
bool lockCPU;
|
||||||
|
|
||||||
Setting<SandboxMode> sandboxMode{this,
|
Setting<SandboxMode> sandboxMode{
|
||||||
|
this,
|
||||||
#if __linux__
|
#if __linux__
|
||||||
smEnabled
|
smEnabled
|
||||||
#else
|
#else
|
||||||
smDisabled
|
smDisabled
|
||||||
#endif
|
#endif
|
||||||
, "sandbox",
|
, "sandbox",
|
||||||
"Whether to enable sandboxed builds. Can be \"true\", \"false\" or \"relaxed\".",
|
R"(
|
||||||
|
If set to `true`, builds will be performed in a *sandboxed
|
||||||
|
environment*, i.e., they’re isolated from the normal file system
|
||||||
|
hierarchy and will only see their dependencies in the Nix store,
|
||||||
|
the temporary build directory, private versions of `/proc`,
|
||||||
|
`/dev`, `/dev/shm` and `/dev/pts` (on Linux), and the paths
|
||||||
|
configured with the `sandbox-paths` option. This is useful to
|
||||||
|
prevent undeclared dependencies on files in directories such as
|
||||||
|
`/usr/bin`. In addition, on Linux, builds run in private PID,
|
||||||
|
mount, network, IPC and UTS namespaces to isolate them from other
|
||||||
|
processes in the system (except that fixed-output derivations do
|
||||||
|
not run in private network namespace to ensure they can access the
|
||||||
|
network).
|
||||||
|
|
||||||
|
Currently, sandboxing only work on Linux and macOS. The use of a
|
||||||
|
sandbox requires that Nix is run as root (so you should use the
|
||||||
|
“build users” feature to perform the actual builds under different
|
||||||
|
users than root).
|
||||||
|
|
||||||
|
If this option is set to `relaxed`, then fixed-output derivations
|
||||||
|
and derivations that have the `__noChroot` attribute set to `true`
|
||||||
|
do not run in sandboxes.
|
||||||
|
|
||||||
|
The default is `true` on Linux and `false` on all other platforms.
|
||||||
|
)",
|
||||||
{"build-use-chroot", "build-use-sandbox"}};
|
{"build-use-chroot", "build-use-sandbox"}};
|
||||||
|
|
||||||
Setting<PathSet> sandboxPaths{this, {}, "sandbox-paths",
|
Setting<PathSet> sandboxPaths{
|
||||||
"The paths to make available inside the build sandbox.",
|
this, {}, "sandbox-paths",
|
||||||
|
R"(
|
||||||
|
A list of paths bind-mounted into Nix sandbox environments. You can
|
||||||
|
use the syntax `target=source` to mount a path in a different
|
||||||
|
location in the sandbox; for instance, `/bin=/nix-bin` will mount
|
||||||
|
the path `/nix-bin` as `/bin` inside the sandbox. If *source* is
|
||||||
|
followed by `?`, then it is not an error if *source* does not exist;
|
||||||
|
for example, `/dev/nvidiactl?` specifies that `/dev/nvidiactl` will
|
||||||
|
only be mounted in the sandbox if it exists in the host filesystem.
|
||||||
|
|
||||||
|
Depending on how Nix was built, the default value for this option
|
||||||
|
may be empty or provide `/bin/sh` as a bind-mount of `bash`.
|
||||||
|
)",
|
||||||
{"build-chroot-dirs", "build-sandbox-paths"}};
|
{"build-chroot-dirs", "build-sandbox-paths"}};
|
||||||
|
|
||||||
Setting<bool> sandboxFallback{this, true, "sandbox-fallback",
|
Setting<bool> sandboxFallback{this, true, "sandbox-fallback",
|
||||||
"Whether to disable sandboxing when the kernel doesn't allow it."};
|
"Whether to disable sandboxing when the kernel doesn't allow it."};
|
||||||
|
|
||||||
Setting<PathSet> extraSandboxPaths{this, {}, "extra-sandbox-paths",
|
Setting<PathSet> extraSandboxPaths{
|
||||||
"Additional paths to make available inside the build sandbox.",
|
this, {}, "extra-sandbox-paths",
|
||||||
|
R"(
|
||||||
|
A list of additional paths appended to `sandbox-paths`. Useful if
|
||||||
|
you want to extend its default value.
|
||||||
|
)",
|
||||||
{"build-extra-chroot-dirs", "build-extra-sandbox-paths"}};
|
{"build-extra-chroot-dirs", "build-extra-sandbox-paths"}};
|
||||||
|
|
||||||
Setting<size_t> buildRepeat{this, 0, "repeat",
|
Setting<size_t> buildRepeat{
|
||||||
"The number of times to repeat a build in order to verify determinism.",
|
this, 0, "repeat",
|
||||||
|
R"(
|
||||||
|
How many times to repeat builds to check whether they are
|
||||||
|
deterministic. The default value is 0. If the value is non-zero,
|
||||||
|
every build is repeated the specified number of times. If the
|
||||||
|
contents of any of the runs differs from the previous ones and
|
||||||
|
`enforce-determinism` is true, the build is rejected and the
|
||||||
|
resulting store paths are not registered as “valid” in Nix’s
|
||||||
|
database.
|
||||||
|
)",
|
||||||
{"build-repeat"}};
|
{"build-repeat"}};
|
||||||
|
|
||||||
#if __linux__
|
#if __linux__
|
||||||
Setting<std::string> sandboxShmSize{this, "50%", "sandbox-dev-shm-size",
|
Setting<std::string> sandboxShmSize{
|
||||||
"The size of /dev/shm in the build sandbox."};
|
this, "50%", "sandbox-dev-shm-size",
|
||||||
|
R"(
|
||||||
|
This option determines the maximum size of the `tmpfs` filesystem
|
||||||
|
mounted on `/dev/shm` in Linux sandboxes. For the format, see the
|
||||||
|
description of the `size` option of `tmpfs` in mount8. The default
|
||||||
|
is `50%`.
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<Path> sandboxBuildDir{this, "/build", "sandbox-build-dir",
|
Setting<Path> sandboxBuildDir{this, "/build", "sandbox-build-dir",
|
||||||
"The build directory inside the sandbox."};
|
"The build directory inside the sandbox."};
|
||||||
|
@ -237,121 +460,411 @@ public:
|
||||||
"Whether to log Darwin sandbox access violations to the system log."};
|
"Whether to log Darwin sandbox access violations to the system log."};
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
Setting<bool> runDiffHook{this, false, "run-diff-hook",
|
Setting<bool> runDiffHook{
|
||||||
"Whether to run the program specified by the diff-hook setting "
|
this, false, "run-diff-hook",
|
||||||
"repeated builds produce a different result. Typically used to "
|
R"(
|
||||||
"plug in diffoscope."};
|
If true, enable the execution of the `diff-hook` program.
|
||||||
|
|
||||||
PathSetting diffHook{this, true, "", "diff-hook",
|
When using the Nix daemon, `run-diff-hook` must be set in the
|
||||||
"A program that prints out the differences between the two paths "
|
`nix.conf` configuration file, and cannot be passed at the command
|
||||||
"specified on its command line."};
|
line.
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<bool> enforceDeterminism{this, true, "enforce-determinism",
|
PathSetting diffHook{
|
||||||
"Whether to fail if repeated builds produce different output."};
|
this, true, "", "diff-hook",
|
||||||
|
R"(
|
||||||
|
Absolute path to an executable capable of diffing build
|
||||||
|
results. The hook is executed if `run-diff-hook` is true, and the
|
||||||
|
output of a build is known to not be the same. This program is not
|
||||||
|
executed to determine if two results are the same.
|
||||||
|
|
||||||
Setting<Strings> trustedPublicKeys{this,
|
The diff hook is executed by the same user and group who ran the
|
||||||
|
build. However, the diff hook does not have write access to the
|
||||||
|
store path just built.
|
||||||
|
|
||||||
|
The diff hook program receives three parameters:
|
||||||
|
|
||||||
|
1. A path to the previous build's results
|
||||||
|
|
||||||
|
2. A path to the current build's results
|
||||||
|
|
||||||
|
3. The path to the build's derivation
|
||||||
|
|
||||||
|
4. The path to the build's scratch directory. This directory will
|
||||||
|
exist only if the build was run with `--keep-failed`.
|
||||||
|
|
||||||
|
The stderr and stdout output from the diff hook will not be
|
||||||
|
displayed to the user. Instead, it will print to the nix-daemon's
|
||||||
|
log.
|
||||||
|
|
||||||
|
When using the Nix daemon, `diff-hook` must be set in the `nix.conf`
|
||||||
|
configuration file, and cannot be passed at the command line.
|
||||||
|
)"};
|
||||||
|
|
||||||
|
Setting<bool> enforceDeterminism{
|
||||||
|
this, true, "enforce-determinism",
|
||||||
|
"Whether to fail if repeated builds produce different output. See `repeat`."};
|
||||||
|
|
||||||
|
Setting<Strings> trustedPublicKeys{
|
||||||
|
this,
|
||||||
{"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="},
|
{"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="},
|
||||||
"trusted-public-keys",
|
"trusted-public-keys",
|
||||||
"Trusted public keys for secure substitution.",
|
R"(
|
||||||
|
A whitespace-separated list of public keys. When paths are copied
|
||||||
|
from another Nix store (such as a binary cache), they must be
|
||||||
|
signed with one of these keys. For example:
|
||||||
|
`cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
|
||||||
|
hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=`.
|
||||||
|
)",
|
||||||
{"binary-cache-public-keys"}};
|
{"binary-cache-public-keys"}};
|
||||||
|
|
||||||
Setting<Strings> secretKeyFiles{this, {}, "secret-key-files",
|
Setting<Strings> secretKeyFiles{
|
||||||
"Secret keys with which to sign local builds."};
|
this, {}, "secret-key-files",
|
||||||
|
R"(
|
||||||
|
A whitespace-separated list of files containing secret (private)
|
||||||
|
keys. These are used to sign locally-built paths. They can be
|
||||||
|
generated using `nix-store --generate-binary-cache-key`. The
|
||||||
|
corresponding public key can be distributed to other users, who
|
||||||
|
can add it to `trusted-public-keys` in their `nix.conf`.
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<unsigned int> tarballTtl{this, 60 * 60, "tarball-ttl",
|
Setting<unsigned int> tarballTtl{
|
||||||
"How long downloaded files are considered up-to-date."};
|
this, 60 * 60, "tarball-ttl",
|
||||||
|
R"(
|
||||||
|
The number of seconds a downloaded tarball is considered fresh. If
|
||||||
|
the cached tarball is stale, Nix will check whether it is still up
|
||||||
|
to date using the ETag header. Nix will download a new version if
|
||||||
|
the ETag header is unsupported, or the cached ETag doesn't match.
|
||||||
|
|
||||||
Setting<bool> requireSigs{this, true, "require-sigs",
|
Setting the TTL to `0` forces Nix to always check if the tarball is
|
||||||
"Whether to check that any non-content-addressed path added to the "
|
up to date.
|
||||||
"Nix store has a valid signature (that is, one signed using a key "
|
|
||||||
"listed in 'trusted-public-keys'."};
|
|
||||||
|
|
||||||
Setting<StringSet> extraPlatforms{this,
|
Nix caches tarballs in `$XDG_CACHE_HOME/nix/tarballs`.
|
||||||
|
|
||||||
|
Files fetched via `NIX_PATH`, `fetchGit`, `fetchMercurial`,
|
||||||
|
`fetchTarball`, and `fetchurl` respect this TTL.
|
||||||
|
)"};
|
||||||
|
|
||||||
|
Setting<bool> requireSigs{
|
||||||
|
this, true, "require-sigs",
|
||||||
|
R"(
|
||||||
|
If set to `true` (the default), any non-content-addressed path added
|
||||||
|
or copied to the Nix store (e.g. when substituting from a binary
|
||||||
|
cache) must have a valid signature, that is, be signed using one of
|
||||||
|
the keys listed in `trusted-public-keys` or `secret-key-files`. Set
|
||||||
|
to `false` to disable signature checking.
|
||||||
|
)"};
|
||||||
|
|
||||||
|
Setting<StringSet> extraPlatforms{
|
||||||
|
this,
|
||||||
std::string{SYSTEM} == "x86_64-linux" && !isWSL1() ? StringSet{"i686-linux"} : StringSet{},
|
std::string{SYSTEM} == "x86_64-linux" && !isWSL1() ? StringSet{"i686-linux"} : StringSet{},
|
||||||
"extra-platforms",
|
"extra-platforms",
|
||||||
"Additional platforms that can be built on the local system. "
|
R"(
|
||||||
"These may be supported natively (e.g. armv7 on some aarch64 CPUs "
|
Platforms other than the native one which this machine is capable of
|
||||||
"or using hacks like qemu-user."};
|
building for. This can be useful for supporting additional
|
||||||
|
architectures on compatible machines: i686-linux can be built on
|
||||||
|
x86\_64-linux machines (and the default for this setting reflects
|
||||||
|
this); armv7 is backwards-compatible with armv6 and armv5tel; some
|
||||||
|
aarch64 machines can also natively run 32-bit ARM code; and
|
||||||
|
qemu-user may be used to support non-native platforms (though this
|
||||||
|
may be slow and buggy). Most values for this are not enabled by
|
||||||
|
default because build systems will often misdetect the target
|
||||||
|
platform and generate incompatible code, so you may wish to
|
||||||
|
cross-check the results of using this option against proper
|
||||||
|
natively-built versions of your derivations.
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<StringSet> systemFeatures{this, getDefaultSystemFeatures(),
|
Setting<StringSet> systemFeatures{
|
||||||
|
this, getDefaultSystemFeatures(),
|
||||||
"system-features",
|
"system-features",
|
||||||
"Optional features that this system implements (like \"kvm\")."};
|
R"(
|
||||||
|
A set of system “features” supported by this machine, e.g. `kvm`.
|
||||||
|
Derivations can express a dependency on such features through the
|
||||||
|
derivation attribute `requiredSystemFeatures`. For example, the
|
||||||
|
attribute
|
||||||
|
|
||||||
Setting<Strings> substituters{this,
|
requiredSystemFeatures = [ "kvm" ];
|
||||||
|
|
||||||
|
ensures that the derivation can only be built on a machine with the
|
||||||
|
`kvm` feature.
|
||||||
|
|
||||||
|
This setting by default includes `kvm` if `/dev/kvm` is accessible,
|
||||||
|
and the pseudo-features `nixos-test`, `benchmark` and `big-parallel`
|
||||||
|
that are used in Nixpkgs to route builds to specific machines.
|
||||||
|
)"};
|
||||||
|
|
||||||
|
Setting<Strings> substituters{
|
||||||
|
this,
|
||||||
nixStore == "/nix/store" ? Strings{"https://cache.nixos.org/"} : Strings(),
|
nixStore == "/nix/store" ? Strings{"https://cache.nixos.org/"} : Strings(),
|
||||||
"substituters",
|
"substituters",
|
||||||
"The URIs of substituters (such as https://cache.nixos.org/).",
|
R"(
|
||||||
|
A list of URLs of substituters, separated by whitespace. The default
|
||||||
|
is `https://cache.nixos.org`.
|
||||||
|
)",
|
||||||
{"binary-caches"}};
|
{"binary-caches"}};
|
||||||
|
|
||||||
// FIXME: provide a way to add to option values.
|
// FIXME: provide a way to add to option values.
|
||||||
Setting<Strings> extraSubstituters{this, {}, "extra-substituters",
|
Setting<Strings> extraSubstituters{
|
||||||
"Additional URIs of substituters.",
|
this, {}, "extra-substituters",
|
||||||
|
R"(
|
||||||
|
Additional binary caches appended to those specified in
|
||||||
|
`substituters`. When used by unprivileged users, untrusted
|
||||||
|
substituters (i.e. those not listed in `trusted-substituters`) are
|
||||||
|
silently ignored.
|
||||||
|
)",
|
||||||
{"extra-binary-caches"}};
|
{"extra-binary-caches"}};
|
||||||
|
|
||||||
Setting<StringSet> trustedSubstituters{this, {}, "trusted-substituters",
|
Setting<StringSet> trustedSubstituters{
|
||||||
"Disabled substituters that may be enabled via the substituters option by untrusted users.",
|
this, {}, "trusted-substituters",
|
||||||
|
R"(
|
||||||
|
A list of URLs of substituters, separated by whitespace. These are
|
||||||
|
not used by default, but can be enabled by users of the Nix daemon
|
||||||
|
by specifying `--option substituters urls` on the command
|
||||||
|
line. Unprivileged users are only allowed to pass a subset of the
|
||||||
|
URLs listed in `substituters` and `trusted-substituters`.
|
||||||
|
)",
|
||||||
{"trusted-binary-caches"}};
|
{"trusted-binary-caches"}};
|
||||||
|
|
||||||
Setting<Strings> trustedUsers{this, {"root"}, "trusted-users",
|
Setting<Strings> trustedUsers{
|
||||||
"Which users or groups are trusted to ask the daemon to do unsafe things."};
|
this, {"root"}, "trusted-users",
|
||||||
|
R"(
|
||||||
|
A list of names of users (separated by whitespace) that have
|
||||||
|
additional rights when connecting to the Nix daemon, such as the
|
||||||
|
ability to specify additional binary caches, or to import unsigned
|
||||||
|
NARs. You can also specify groups by prefixing them with `@`; for
|
||||||
|
instance, `@wheel` means all users in the `wheel` group. The default
|
||||||
|
is `root`.
|
||||||
|
|
||||||
Setting<unsigned int> ttlNegativeNarInfoCache{this, 3600, "narinfo-cache-negative-ttl",
|
> **Warning**
|
||||||
"The TTL in seconds for negative lookups in the disk cache i.e binary cache lookups that "
|
>
|
||||||
"return an invalid path result"};
|
> Adding a user to `trusted-users` is essentially equivalent to
|
||||||
|
> giving that user root access to the system. For example, the user
|
||||||
|
> can set `sandbox-paths` and thereby obtain read access to
|
||||||
|
> directories that are otherwise inacessible to them.
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<unsigned int> ttlPositiveNarInfoCache{this, 30 * 24 * 3600, "narinfo-cache-positive-ttl",
|
Setting<unsigned int> ttlNegativeNarInfoCache{
|
||||||
"The TTL in seconds for positive lookups in the disk cache i.e binary cache lookups that "
|
this, 3600, "narinfo-cache-negative-ttl",
|
||||||
"return a valid path result."};
|
R"(
|
||||||
|
The TTL in seconds for negative lookups. If a store path is queried
|
||||||
|
from a substituter but was not found, there will be a negative
|
||||||
|
lookup cached in the local disk cache database for the specified
|
||||||
|
duration.
|
||||||
|
)"};
|
||||||
|
|
||||||
|
Setting<unsigned int> ttlPositiveNarInfoCache{
|
||||||
|
this, 30 * 24 * 3600, "narinfo-cache-positive-ttl",
|
||||||
|
R"(
|
||||||
|
The TTL in seconds for positive lookups. If a store path is queried
|
||||||
|
from a substituter, the result of the query will be cached in the
|
||||||
|
local disk cache database including some of the NAR metadata. The
|
||||||
|
default TTL is a month, setting a shorter TTL for positive lookups
|
||||||
|
can be useful for binary caches that have frequent garbage
|
||||||
|
collection, in which case having a more frequent cache invalidation
|
||||||
|
would prevent trying to pull the path again and failing with a hash
|
||||||
|
mismatch if the build isn't reproducible.
|
||||||
|
)"};
|
||||||
|
|
||||||
/* ?Who we trust to use the daemon in safe ways */
|
/* ?Who we trust to use the daemon in safe ways */
|
||||||
Setting<Strings> allowedUsers{this, {"*"}, "allowed-users",
|
Setting<Strings> allowedUsers{
|
||||||
"Which users or groups are allowed to connect to the daemon."};
|
this, {"*"}, "allowed-users",
|
||||||
|
R"(
|
||||||
|
A list of names of users (separated by whitespace) that are allowed
|
||||||
|
to connect to the Nix daemon. As with the `trusted-users` option,
|
||||||
|
you can specify groups by prefixing them with `@`. Also, you can
|
||||||
|
allow all users by specifying `*`. The default is `*`.
|
||||||
|
|
||||||
|
Note that trusted users are always allowed to connect.
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<bool> printMissing{this, true, "print-missing",
|
Setting<bool> printMissing{this, true, "print-missing",
|
||||||
"Whether to print what paths need to be built or downloaded."};
|
"Whether to print what paths need to be built or downloaded."};
|
||||||
|
|
||||||
Setting<std::string> preBuildHook{this, "",
|
Setting<std::string> preBuildHook{
|
||||||
"pre-build-hook",
|
this, "", "pre-build-hook",
|
||||||
"A program to run just before a build to set derivation-specific build settings."};
|
R"(
|
||||||
|
If set, the path to a program that can set extra derivation-specific
|
||||||
|
settings for this system. This is used for settings that can't be
|
||||||
|
captured by the derivation model itself and are too variable between
|
||||||
|
different versions of the same system to be hard-coded into nix.
|
||||||
|
|
||||||
Setting<std::string> postBuildHook{this, "", "post-build-hook",
|
The hook is passed the derivation path and, if sandboxes are
|
||||||
"A program to run just after each successful build."};
|
enabled, the sandbox directory. It can then modify the sandbox and
|
||||||
|
send a series of commands to modify various settings to stdout. The
|
||||||
|
currently recognized commands are:
|
||||||
|
|
||||||
Setting<std::string> netrcFile{this, fmt("%s/%s", nixConfDir, "netrc"), "netrc-file",
|
- `extra-sandbox-paths`
|
||||||
"Path to the netrc file used to obtain usernames/passwords for downloads."};
|
Pass a list of files and directories to be included in the
|
||||||
|
sandbox for this build. One entry per line, terminated by an
|
||||||
|
empty line. Entries have the same format as `sandbox-paths`.
|
||||||
|
)"};
|
||||||
|
|
||||||
|
Setting<std::string> postBuildHook{
|
||||||
|
this, "", "post-build-hook",
|
||||||
|
R"(
|
||||||
|
Optional. The path to a program to execute after each build.
|
||||||
|
|
||||||
|
This option is only settable in the global `nix.conf`, or on the
|
||||||
|
command line by trusted users.
|
||||||
|
|
||||||
|
When using the nix-daemon, the daemon executes the hook as `root`.
|
||||||
|
If the nix-daemon is not involved, the hook runs as the user
|
||||||
|
executing the nix-build.
|
||||||
|
|
||||||
|
- The hook executes after an evaluation-time build.
|
||||||
|
|
||||||
|
- The hook does not execute on substituted paths.
|
||||||
|
|
||||||
|
- The hook's output always goes to the user's terminal.
|
||||||
|
|
||||||
|
- If the hook fails, the build succeeds but no further builds
|
||||||
|
execute.
|
||||||
|
|
||||||
|
- The hook executes synchronously, and blocks other builds from
|
||||||
|
progressing while it runs.
|
||||||
|
|
||||||
|
The program executes with no arguments. The program's environment
|
||||||
|
contains the following environment variables:
|
||||||
|
|
||||||
|
- `DRV_PATH`
|
||||||
|
The derivation for the built paths.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
`/nix/store/5nihn1a7pa8b25l9zafqaqibznlvvp3f-bash-4.4-p23.drv`
|
||||||
|
|
||||||
|
- `OUT_PATHS`
|
||||||
|
Output paths of the built derivation, separated by a space
|
||||||
|
character.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
`/nix/store/zf5lbh336mnzf1nlswdn11g4n2m8zh3g-bash-4.4-p23-dev
|
||||||
|
/nix/store/rjxwxwv1fpn9wa2x5ssk5phzwlcv4mna-bash-4.4-p23-doc
|
||||||
|
/nix/store/6bqvbzjkcp9695dq0dpl5y43nvy37pq1-bash-4.4-p23-info
|
||||||
|
/nix/store/r7fng3kk3vlpdlh2idnrbn37vh4imlj2-bash-4.4-p23-man
|
||||||
|
/nix/store/xfghy8ixrhz3kyy6p724iv3cxji088dx-bash-4.4-p23`.
|
||||||
|
)"};
|
||||||
|
|
||||||
|
Setting<std::string> netrcFile{
|
||||||
|
this, fmt("%s/%s", nixConfDir, "netrc"), "netrc-file",
|
||||||
|
R"(
|
||||||
|
If set to an absolute path to a `netrc` file, Nix will use the HTTP
|
||||||
|
authentication credentials in this file when trying to download from
|
||||||
|
a remote host through HTTP or HTTPS. Defaults to
|
||||||
|
`$NIX_CONF_DIR/netrc`.
|
||||||
|
|
||||||
|
The `netrc` file consists of a list of accounts in the following
|
||||||
|
format:
|
||||||
|
|
||||||
|
machine my-machine
|
||||||
|
login my-username
|
||||||
|
password my-password
|
||||||
|
|
||||||
|
For the exact syntax, see [the `curl`
|
||||||
|
documentation](https://ec.haxx.se/usingcurl-netrc.html).
|
||||||
|
|
||||||
|
> **Note**
|
||||||
|
>
|
||||||
|
> This must be an absolute path, and `~` is not resolved. For
|
||||||
|
> example, `~/.netrc` won't resolve to your home directory's
|
||||||
|
> `.netrc`.
|
||||||
|
)"};
|
||||||
|
|
||||||
/* Path to the SSL CA file used */
|
/* Path to the SSL CA file used */
|
||||||
Path caFile;
|
Path caFile;
|
||||||
|
|
||||||
#if __linux__
|
#if __linux__
|
||||||
Setting<bool> filterSyscalls{this, true, "filter-syscalls",
|
Setting<bool> filterSyscalls{
|
||||||
"Whether to prevent certain dangerous system calls, such as "
|
this, true, "filter-syscalls",
|
||||||
"creation of setuid/setgid files or adding ACLs or extended "
|
R"(
|
||||||
"attributes. Only disable this if you're aware of the "
|
Whether to prevent certain dangerous system calls, such as
|
||||||
"security implications."};
|
creation of setuid/setgid files or adding ACLs or extended
|
||||||
|
attributes. Only disable this if you're aware of the
|
||||||
|
security implications.
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<bool> allowNewPrivileges{this, false, "allow-new-privileges",
|
Setting<bool> allowNewPrivileges{
|
||||||
"Whether builders can acquire new privileges by calling programs with "
|
this, false, "allow-new-privileges",
|
||||||
"setuid/setgid bits or with file capabilities."};
|
R"(
|
||||||
|
(Linux-specific.) By default, builders on Linux cannot acquire new
|
||||||
|
privileges by calling setuid/setgid programs or programs that have
|
||||||
|
file capabilities. For example, programs such as `sudo` or `ping`
|
||||||
|
will fail. (Note that in sandbox builds, no such programs are
|
||||||
|
available unless you bind-mount them into the sandbox via the
|
||||||
|
`sandbox-paths` option.) You can allow the use of such programs by
|
||||||
|
enabling this option. This is impure and usually undesirable, but
|
||||||
|
may be useful in certain scenarios (e.g. to spin up containers or
|
||||||
|
set up userspace network interfaces in tests).
|
||||||
|
)"};
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
Setting<Strings> hashedMirrors{this, {}, "hashed-mirrors",
|
Setting<Strings> hashedMirrors{
|
||||||
"A list of servers used by builtins.fetchurl to fetch files by hash."};
|
this, {}, "hashed-mirrors",
|
||||||
|
R"(
|
||||||
|
A list of web servers used by `builtins.fetchurl` to obtain files by
|
||||||
|
hash. The default is `http://tarballs.nixos.org/`. Given a hash type
|
||||||
|
*ht* and a base-16 hash *h*, Nix will try to download the file from
|
||||||
|
*hashed-mirror*/*ht*/*h*. This allows files to be downloaded even if
|
||||||
|
they have disappeared from their original URI. For example, given
|
||||||
|
the default mirror `http://tarballs.nixos.org/`, when building the
|
||||||
|
derivation
|
||||||
|
|
||||||
Setting<uint64_t> minFree{this, 0, "min-free",
|
```nix
|
||||||
"Automatically run the garbage collector when free disk space drops below the specified amount."};
|
builtins.fetchurl {
|
||||||
|
url = "https://example.org/foo-1.2.3.tar.xz";
|
||||||
|
sha256 = "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae";
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
Setting<uint64_t> maxFree{this, std::numeric_limits<uint64_t>::max(), "max-free",
|
Nix will attempt to download this file from
|
||||||
"Stop deleting garbage when free disk space is above the specified amount."};
|
`http://tarballs.nixos.org/sha256/2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae`
|
||||||
|
first. If it is not available there, if will try the original URI.
|
||||||
|
)"};
|
||||||
|
|
||||||
|
Setting<uint64_t> minFree{
|
||||||
|
this, 0, "min-free",
|
||||||
|
R"(
|
||||||
|
When free disk space in `/nix/store` drops below `min-free` during a
|
||||||
|
build, Nix performs a garbage-collection until `max-free` bytes are
|
||||||
|
available or there is no more garbage. A value of `0` (the default)
|
||||||
|
disables this feature.
|
||||||
|
)"};
|
||||||
|
|
||||||
|
Setting<uint64_t> maxFree{
|
||||||
|
this, std::numeric_limits<uint64_t>::max(), "max-free",
|
||||||
|
R"(
|
||||||
|
When a garbage collection is triggered by the `min-free` option, it
|
||||||
|
stops as soon as `max-free` bytes are available. The default is
|
||||||
|
infinity (i.e. delete all garbage).
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<uint64_t> minFreeCheckInterval{this, 5, "min-free-check-interval",
|
Setting<uint64_t> minFreeCheckInterval{this, 5, "min-free-check-interval",
|
||||||
"Number of seconds between checking free disk space."};
|
"Number of seconds between checking free disk space."};
|
||||||
|
|
||||||
Setting<Paths> pluginFiles{this, {}, "plugin-files",
|
Setting<Paths> pluginFiles{
|
||||||
"Plugins to dynamically load at nix initialization time."};
|
this, {}, "plugin-files",
|
||||||
|
R"(
|
||||||
|
A list of plugin files to be loaded by Nix. Each of these files will
|
||||||
|
be dlopened by Nix, allowing them to affect execution through static
|
||||||
|
initialization. In particular, these plugins may construct static
|
||||||
|
instances of RegisterPrimOp to add new primops or constants to the
|
||||||
|
expression language, RegisterStoreImplementation to add new store
|
||||||
|
implementations, RegisterCommand to add new subcommands to the `nix`
|
||||||
|
command, and RegisterSetting to add new nix config settings. See the
|
||||||
|
constructors for those types for more details.
|
||||||
|
|
||||||
|
Since these files are loaded into the same address space as Nix
|
||||||
|
itself, they must be DSOs compatible with the instance of Nix
|
||||||
|
running at the time (i.e. compiled against the same headers, not
|
||||||
|
linked to any incompatible libraries). They should not be linked to
|
||||||
|
any Nix libs directly, as those will be available already at load
|
||||||
|
time.
|
||||||
|
|
||||||
|
If an entry in the list is a directory, all files in the directory
|
||||||
|
are loaded as plugins (non-recursively).
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<std::string> githubAccessToken{this, "", "github-access-token",
|
Setting<std::string> githubAccessToken{this, "", "github-access-token",
|
||||||
"GitHub access token to get access to GitHub data through the GitHub API for github:<..> flakes."};
|
"GitHub access token to get access to GitHub data through the GitHub API for `github:<..>` flakes."};
|
||||||
|
|
||||||
Setting<Strings> experimentalFeatures{this, {}, "experimental-features",
|
Setting<Strings> experimentalFeatures{this, {}, "experimental-features",
|
||||||
"Experimental Nix features to enable."};
|
"Experimental Nix features to enable."};
|
||||||
|
|
|
@ -149,11 +149,48 @@ void Config::convertToArgs(Args & args, const std::string & category)
|
||||||
s.second.setting->convertToArg(args, category);
|
s.second.setting->convertToArg(args, category);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static std::string stripIndentation(std::string_view s)
|
||||||
|
{
|
||||||
|
size_t minIndent = 10000;
|
||||||
|
size_t curIndent = 0;
|
||||||
|
bool atStartOfLine = true;
|
||||||
|
|
||||||
|
for (auto & c : s) {
|
||||||
|
if (atStartOfLine && c == ' ')
|
||||||
|
curIndent++;
|
||||||
|
else if (c == '\n') {
|
||||||
|
if (atStartOfLine)
|
||||||
|
minIndent = std::max(minIndent, curIndent);
|
||||||
|
curIndent = 0;
|
||||||
|
atStartOfLine = true;
|
||||||
|
} else {
|
||||||
|
if (atStartOfLine) {
|
||||||
|
minIndent = std::min(minIndent, curIndent);
|
||||||
|
atStartOfLine = false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
std::string res;
|
||||||
|
|
||||||
|
size_t pos = 0;
|
||||||
|
while (pos < s.size()) {
|
||||||
|
auto eol = s.find('\n', pos);
|
||||||
|
if (eol == s.npos) eol = s.size();
|
||||||
|
if (eol - pos > minIndent)
|
||||||
|
res.append(s.substr(pos + minIndent, eol - pos - minIndent));
|
||||||
|
res.push_back('\n');
|
||||||
|
pos = eol + 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
return res;
|
||||||
|
}
|
||||||
|
|
||||||
AbstractSetting::AbstractSetting(
|
AbstractSetting::AbstractSetting(
|
||||||
const std::string & name,
|
const std::string & name,
|
||||||
const std::string & description,
|
const std::string & description,
|
||||||
const std::set<std::string> & aliases)
|
const std::set<std::string> & aliases)
|
||||||
: name(name), description(description), aliases(aliases)
|
: name(name), description(stripIndentation(description)), aliases(aliases)
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -37,10 +37,12 @@ typedef uint64_t ActivityId;
|
||||||
|
|
||||||
struct LoggerSettings : Config
|
struct LoggerSettings : Config
|
||||||
{
|
{
|
||||||
Setting<bool> showTrace{this,
|
Setting<bool> showTrace{
|
||||||
false,
|
this, false, "show-trace",
|
||||||
"show-trace",
|
R"(
|
||||||
"Whether to show a stack trace on evaluation errors."};
|
Where Nix should print out a stack trace in case of Nix
|
||||||
|
expression evaluation errors.
|
||||||
|
)"};
|
||||||
};
|
};
|
||||||
|
|
||||||
extern LoggerSettings loggerSettings;
|
extern LoggerSettings loggerSettings;
|
||||||
|
|
Loading…
Reference in a new issue